Don’t fragment bit [force_df, Minimal mtu [min_mtu, Add route [add_route – Nortel Networks 608(WL) User Manual

Chapter 6

Advanced Features

E-DOC-CTC-20051017-0169 v0.1

208

Don’t Fragment bit

[force_df]

IPSec encryption increases the packet length. When the MTU of a link is adjusted to
pass the largest IP packet unfragmented, then messages encapsulated by IPSec will
not pass if the Don’t Fragment bit is set. In some cases, it might be required to
influence the fragmentation behaviour to remedy such problems.

The SpeedTouch™ allows treating the DF bit in three different ways:



Pass the DF bit unchanged.



Force the DF bit to zero. With the DF bit cleared, fragmentation is allowed.



Force the DF bit to one. With the DF bit set, fragmentation of messages is not
allowed.

Minimal MTU [min_mtu]

This option sets the minimal negotiated value of the “Maximum Transmission Unit”
(the largest packet size). The fact that no lower value than this minimal value is
accepted forms a protection against an attack with ICMP “fragmentation needed”
messages.

Add Route [add_route]

This option is relevant in routed mode only. The option determines whether or not
routes are automatically added to the routing table.

When enabled, a route to the remote red network is automatically added to the
routing table, via the Physical Interface of the peer to which the connection is
attached.

When disabled, the routing table has to be adapted manually in order to ensure IP
connectivity between the local and remote red networks.

force_df

Possible values

default value

pass force_set
force_clear

pass

min_mtu

Unit

default value

octets

1000

add_route

Possible values

default value

enabled
disabled

enabled