CIPSO making your packets too fat? Jumbo frames to the rescue!

When you’re routing traffic from an unlabeled network (using plain IP) over a network where sensitivity labels are added to the packets using CIPSO headers this may cause problems: space used by the labels is no longer available for the payload, so the packets need to be made a bit smaller.

This shouldn’t be a problem as that’s what fragmentation is for.

Sadly enough some systems set the “Don’t Fragment” bit and fail to handle any “ICMP fragmentation required” packets that may get sent as a result, causing the router between the unlabeled and the labeled networks to be unable to route the packets.

The jumbo frame support in many of the network drivers in Solaris provides an easy solution, permitting the packets on the labeled network to be made slightly bigger so they can accommodate the extra space needed for the labels:

On the CIPSO-network-facing interfaces on Solaris Trusted Extentions (or OpenSolaris Trusted Extensions) just do:

ifconfig <interface> mtu 1512

after you’ve updated the network interface driver configuration (by tweaking e1000g.conf/igb.conf/…) – and you’re done.

2 thoughts on “CIPSO making your packets too fat? Jumbo frames to the rescue!

  1. Darren Moffat

    Better yet, Labeled IPsec integrated this week. So dump CIPSO, run jumbo frames, *and* get strong crypto protection and separation of labeled traffic.

    Reply
  2. bartb Post author

    That’s an option if you can run OpenSolaris. In the meantime those stuck on supported releases of the OS’ll have to do with jumbo frame hackery.

    Reply

Leave a Reply