MSS and MTU
MSS numbers are 40 bytes smaller than the MTU numbers because MSS is just the TCP data sie, which does not include the 20 byte IP header and the 20 byte TCP header.
The IP header takes 20 bytes.
The ICMP header takes 8 bytes, in addition to the 20 bytes of the IP header.
The largest ICMP buffer size you will be able to send on a normal Ethernet segment is 1472 bytes, which is 1500 minus the 20 byte IP header minus the 8 byte ICMP header.
The IPIP (or IP-ENCAP) header takes 20 bytes, in addition to the 20 bytes of the IP header.
The largest TCP payload you will be able to send on a normal Ethernet segment using IPIP encapsulation is 1460 bytes, which is 1500 bytes minus the 20 byte IP-ENCAP header minus the 20 byte IP header.
The GRE header takes 24 bytes, in addition to the 20 bytes of the IP header.
The largest TCP payload you will be able to send on a normal Ethernet segment using GRE encapsulation is 1456 bytes, which is 1500 bytes minus the 24 byte GRE header minus the 20 byte IP header.
EOIP, or Ethernet Over IP, is a proprietary tunnel type of Mikrotik RouterOS.
EoIP tunnels add 42 bytes of overhead (8byte GRE + 14 byte Ethernet + 20 byte IP)
AH (Authentication Header): Provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram.
ESP (Encapsulating Security Payload): Provides the privacy for IP datagrams by encrypting them.
Transport mode: The protocol protects the message passed down to IP from the transport layer. The message is processed by AH/ESP and the appropriate header(s) added in front of the transport (UDP or TCP) header. The IP header is then added in front of that by IP.
Tunnel mode: In this mode, IPSec is used to protect a complete encapsulated IP datagram after the IP header has already been applied to it. The IPSec headers appear in front of the original IP header, and then a new IP header is added in front of the IPSec header. That is to say, the entire original IP datagram is secured and then encapsulated within another IP datagram.