IPsec introduces changes to the Maximum Transmission Unit (MTU) and Maximum Segment Size (MSS), which are critical considerations for network performance.
MTU Impact
The MTU is effectively reduced when IPsec is implemented due to its encapsulation overhead. This overhead, consisting of encryption and additional IP layer, typically adds approximately 93 bytes to the packet size.
Assuming an average Ethernet frame size of 1500 bytes, this results in a new MTU of around 1407 bytes. If packets exceed this size, they are fragmented, leading to potential slowdowns or data loss, as larger packets must be broken into smaller fragments for transmission.
MSS Impact
The MSS (Maximum Segment Size) refers to the maximum payload size when headers are excluded. In IPsec environments, an MSS of 1,400 bytes is commonly used, with TCP-MSS adjusted to 1,360 bytes to accommodate overhead. Any packet payload exceeding these sizes will either be transmitted in smaller segments or risk being dropped, affecting efficient data transmission.
In summary, both MTU and MSS are reduced by IPsec’s encapsulation process, necessitating careful network configuration to ensure optimal performance and avoid fragmentation issues.