IPv6 ESP payload size is smaller than expected

From: Jason Mader <jasonmader_at_gmail.com>
Date: Fri, 15 Jul 2022 21:10:14 UTC
On a FreeBSD 12.0 NFSv4.1 server with Linux 5.14 NFS clients communicating
over IPsec ESP transport,

spdadd -6 Network::/64[any] FreeBSD::12[2049] tcp -P in  ipsec
esp/transport//require;
spdadd -6 FreeBSD::12[any] Network::/64[any] tcp -P out ipsec
esp/transport//require;

I've found that the Linux NFS client will perform NFS writes with an ESP
payload size of 1428 (TCP Seg Len: 1394), but the FreeBSD NFS server
response to read has an ESP payload size of 1368 (1363 data + 3 bytes
padding) (TCP Seg Len: 1331).

Linux writes will have an ESP Payload of 1460 bytes, but the reads from the
FreeBSD NFS server have an ESP Payload of only 1400 bytes.

The encryption algorithm for ESP is aes-gcm-16.

socket information from Linux NFS client,
mss:1394 pmtu:1466 rcvmss:1331 advmss:1428

I am trying to find out why FreeBSD NFS is not sending the same amount of
data in each packet as Linux.