General

AH does not support NAT in neither transport nor tunnel, because IP is changed and ICV is computed from original IP header (Transport mode) and also new (Tunnel mode).

ESP supports NAT only in Tunnel mode, in Transport I am not sure why, probably hash is in Tunnel mode computed from inner IP, so in transport there is only one IP header, so if this changes by NAT and hash is computed from it, integrity check fails.

Transport mode is usually used when another tunnel is used e.g. GRE/L2TP, but NAT must not be used. Or it is also used inside intra network. Probably not true bcs using L2TP/IPSec uses ESP transport mode also with NAT/PAT, but NAT-T must be used

MAX MSS/MTU Tunnel Mode

TODO:

Values in italics can be variable, according to Cipher and Hash. Probably using AES GCM would lead not using ICV field

ESP Overhead for AES-256(CBC) with SHA256:

New IP Header 20B
ESP SPI 4B
ESP SEQ 4B
ESP IV 16B - AES-128/192/256 has 128b data input 128/8 = 16
ESP Padding 15B - AES-128/192/256 has 128b data input 128/8 = 16-1 = 15, worst case when 1B packet will be present
Padding length 1B
Next header 1B
ICV 16B - half of hash-truncated, SHA256 - 128/8 = 16, exception with SHA 96/8 = 12

OVERHEAD 77B

Standard MTU (Ethernet) - 1500B

MSS = 1500 - 20(IP) - 20(TCP) - 77 = 1383B

With NAT-T, which shoul be used when NAT is present, so I think everytime, substitude 8B

MSS = 1375B (NAT-T)

MSS = 1367B (PPPoE) because not 1500B but 1492B

L2TP/IPSec

MAX MSS/MTU

TODO: ADD picture [3]

L2TP over IPsec has even more overhead calculation are based on IPSec from previous section.

MSS starts with 1383 + 20 = 1403 beacause it uses ESP transport mode, no new IP header is added in ESP, but it is added by L2TP, which will be added below.

ESP Overhead for AES-256(CBC) with SHA256:

IP Header (New outer) 20B
UDP Header (NAT-T) 8B
UDP Header (L2TP) 8B
L2TP Header 16B
PPP Header 4B

OVERHEAD 56B

MSS = 1403-56 = 1347

MSS = 1339 (PPPoE)

MTU = 1339 + 40(IP+TCP) = 1379 (according to picture) applied on L2TP interface

Mikrotik L2TP/IPSEC - IPSec is used in trasnsport mode probably

MTU Discover

Option "-M do" means do not fragment, if is big, packet is not send and notification is displayed to terminal. Option "-s $((1406 - 28))" 1406 is real MTU, as ICMP + IP is automatically added.

 ping -s $((1406 - 28)) -M do 192.168.253.30

Subnetting

Supernet calculator:

https://network00.com/NetworkTools/IPv4SupernetCalculator/

IP Calculator:

http://jodies.de/ipcalc?host=192.168.31.0&mask1=23&mask2=

IP addressing summary:

https://subnet-calculator.samuraj-cz.com

Firewall

ACK PSH to router IP

Sometimes in FW rules can be seen drop out of PPPoe with private IP address as a destination. Probably it is connected with timeout-ed connection and Google servers tries to reach client. In MikroTik traffic is going from PPPoE to PPPoE interface with destination private IP Google IP sends a TCP (ACK, PSH) to my router. Known why?

Performance

iperf - reverse mode means send from server to client. Sometimes window mus be enlarged and sometime in linux one property must be set on interface to allow full speed. Default port is 5201, check firewall and also local device firewall, antimalware software can block it too. Multiple streams can boost speed.

iperf3 -s
iperf3 -c 192.168.1.1 -R -P 4

SMB
FTP
WGET - is sometimes better and more reflect real speeds. To outcome bottleneck, do not use HDD, used random generated file read from SSD (/dev/urandom >> /tmp/file) used apache/nginx and write it to /dev/null then real speeds will be captured.

Bottlenecks:

CPU
Network interface
Network transit device e.g. firewall
QoS
HDD

General

Contents

Design and Architecture

Protocols

Spanning tree

NAT

Detect rogue router/NAT

IPSec

TUNNEL vs TRANSPORT & AH vs ESP

MAX MSS/MTU Tunnel Mode

L2TP/IPSec

MAX MSS/MTU

MTU Discover

Subnetting

Firewall

ACK PSH to router IP

Performance

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools