[PATCH] fix DTLS_OVERHEAD and GlobalProtect ESP overhead calculation

Daniel Lenski dlenski at gmail.com
Tue Aug 15 14:17:57 PDT 2017

On Tue, Aug 15, 2017 at 12:30 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Tue, 2017-08-15 at 11:42 -0700, Daniel Lenski wrote:
>> +               mtu = ( base_mtu - UDP_HEADER_SIZE - ESP_OVERHEAD
>> +                       - (vpninfo->hmac_key_len ? : 20) /* biggest supported MAC (SHA1) */
>> +                       - (vpninfo->enc_key_len ? : 32) /* biggest supported IV (AES-256) */ );
>>                 if (vpninfo->peer_addr->sa_family == AF_INET6)
>>                         mtu -= IPV6_HEADER_SIZE;
> Better... except that you left the padding hard-coded to 16. That would
> be the same as the cipher blocksize (== IV size).... except you don't
> actually *need* to be pessimistic. It can be calculated exactly, just
> as dtls_get_data_mtu() does in openssl-dtls.c
> From payload MTU, add at least 1 byte of padding, round up to the next
> multiple of the blocksize. Add the MAC size, and other headers. That's
> the packet on the wire.
> So from wire packet MTU, subtract headers and MAC and IV, round *down*
> to a multiple of blocksize, subtract one byte for the *minimal*
> padding, and that's the largest payload you can carry.

Aha, thanks, I'll look at dtls_get_data_mtu() and try to get this exactly right.

One frustrating thing about GP is that I literally have *no clue* what
the MTU "inside" the VPN looks like.

At least one user has reported
(https://github.com/dlenski/openconnect/issues/43) that the VPN is
much faster when using --mtu with a value that's several times higher
than the apparent "wire MTU." Which means that fragmenting and
reassembling packets between the local host and the VPN gateway is
significantly more efficient than passing the smaller packets through.


More information about the openconnect-devel mailing list