-
Notifications
You must be signed in to change notification settings - Fork 0
5 MTU on ZYBO Bridge
The structure on a bridge configuration is illustrated below. Basically what is received in private interface adapter eth0 is encrypted, and sent to pair device through public interface eth1, being encapsulated with a UDP packet. The reverse situation is almost same. Received packet to specified UDP port at public interface eth1 is decrypted, and send to private network through eth0.
//////////////////////////////////////////////////////////
// ________ _________ _________ //
// | | | | | | //
PC <---[eth0]--->| PRIV |<--->| ENC/DEC |<--->| UDP/PUB |<---[eth1]---> Pair
// |________| |_________| |_________| //
// //
//////////////////////////////////////////////////////////
Which interface eth0, eth1 or wlan will be public interface and which will be private interface is set using the configuration file. In above figure eth0 is chosen to be private and eth1 is chosen to be public interface.
On Zybo test board, there is only one Ethernet module, and a secondary Ethernet module is utilized with Edimax EU-4306 USB 3.0 Gigabit Ethernet Adapter connected to USB OTG.
- eth0: Built in Ethernet port on Zybo. Realtek RTL8211E-VL
- eth1: Edimax EU-4306 USB 3.0 Gigabit Ethernet Adapter. Asix AX88179_178A
One issue is that eth0 port has MTU limitation. It cannot be set to something greater than 1500 bytes. That 1500 bytes is a default configuration for MTU in any PC. So eth0 is chosen as private interface. And so any Ethernet frame from a PC in local network can be easily captured.
In that configuration, when a 1500 bytes data is sent to private interface, captured data will be in total 1518 bytes with 14 byte Ethernet frame headers, and 4 byte identifier. That 1518 bytes is the input as a plain text to the encryption module.
Note that, encryption module output length, for any input with length lower than or equal to 1518 bytes, might get greater than 1518. Is it going to be greater or how much it is going be greater will depend on which encryption module is used. For nacltai, when input length is 1518 bytes, output length is 1550 bytes, for nacl0 it is 1534 bytes.
At the public interface side, output of encryption module will be encapsulated by a UDP packet first, and then transmitted to pair device. That UDP packet encapsulation will obviously increase the payload length of Ethernet frame, by adding 28 bytes UDP headers to encryption block output.
In conclusion, MTU's are;
| Interface | MTU (bytes) |
|---|---|
| PC at local network | 1500 |
| Private interface eth0 | 1500 |
Public interface eth1 with proto_raw
|
1546 |
Public interface eth1 with proto_nacl0
|
1562 |
Public interface eth1 with proto_nacltai
|
1578 |
There is one thing that needs attention. Frame size in public channel (with each encryption module) is greater than 1500, so it can only be carried with Ethernet II frame, as it is seen here.
If there is a device that doesn't support Ethernet II frames in between two VPN pairs, a solution might be to set lower MTU's. It might be logical to set public channel interface MTU to 1500 in that case, and in return any frame exceeding that length will be fragmented.