IETF Logo Mail Archive

Re: [IPsec] Dynamic PMTUD over IKEv2

Yoav Nir <ynir.ietf@gmail.com> Tue, 23 January 2018 17:56 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68F4C1276AF for <ipsec@ietfa.amsl.com>; Tue, 23 Jan 2018 09:56:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DaKM_Lf5yrEB for <ipsec@ietfa.amsl.com>; Tue, 23 Jan 2018 09:56:41 -0800 (PST)
Received: from mail-wr0-x230.google.com (mail-wr0-x230.google.com [IPv6:2a00:1450:400c:c0c::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF8CB1275AB for <ipsec@ietf.org>; Tue, 23 Jan 2018 09:56:40 -0800 (PST)
Received: by mail-wr0-x230.google.com with SMTP id v15so1511488wrb.8 for <ipsec@ietf.org>; Tue, 23 Jan 2018 09:56:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=sSJ7xqh5DPmtbQ11Hh0XlVvMU3PE3Qkxf8TI78u+1dc=; b=HU6Be9VohgiF9sM4kTFS4ehO+vJyqw9aIlWtdQaweS8f0ZKsUkz3n71LE4ezuFvhxN 4a2iSxQBHA4ONRBEy4U9QIz/FwDXoE/2wuZcFKorDc1oUqwXjcwXNp/+gI3mt2T0tXru DQNHe9RVsqtxmTS7lKDQ7glvo7+JjF2ghfAZqUIq2rCr9LNb1rjAycszQf7XsF5SjwFY kvkX0xKRitXeihlGPfTnt3riVkDHAsyy3DIZ4RiRfzVW7R4KmFnTCTtRK2YhOSXm8sUb O0XMlO12st4dx2CIQPo87rrBQu+DEWzRJaPJGu2NIe1GLXM6F5S0pERbup7/tg/muLxD T9Ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=sSJ7xqh5DPmtbQ11Hh0XlVvMU3PE3Qkxf8TI78u+1dc=; b=sXyPgk6XZoid4zGDStt335Rnydqa8xsTOBphyX82B2OJrnM7EcJHvTxTR7VSvfxEsc rn5GlSNcEdJ9l5+M4Lan5iksngSeKFVM0U4uhjIHNqeVGVj/LQP86sBV5M3p8xNIVpw2 E0tSvJdAORCp+fhbUOwwVN1v/yop6sU0Ac87RDZqUxYIJxC7u8xIcvZFrNh7tOILt5Lv OUnVP4mZHRY6TjF1HyVuxOvAQxwaoBDKl7h7Y81BmH7PH26ZVbum3oSnTlvqw7lrATN2 WGoiV+pY0tembhwX/hOQZmLGxkX/fyDrm0IhpsjCZU8DN795IHQCp364lg5F3VDwdgyP 3gIA==
X-Gm-Message-State: AKwxytd631Eg3pFhN0HU4jFj5CPD3dw7YFQ6U06bX1AYBKlZzQxYDEHl 4pX1Cd0/LyjYPnSZu+AGxNw=
X-Google-Smtp-Source: AH8x225c+5st0Zmbc7Tcqw/KxvcLxRW3ywmj/dzzxBln/WHj3IU4wc/kRcmAy9qwbMLBvdoZ9g8Y+A==
X-Received: by 10.223.155.196 with SMTP id e4mr3319951wrc.63.1516730199113; Tue, 23 Jan 2018 09:56:39 -0800 (PST)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id q13sm1158865wrg.3.2018.01.23.09.56.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Jan 2018 09:56:38 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <9D48AC2A-32B8-42EF-B4DF-4825E4D75A32@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_03A09886-FB8F-4EE4-92E1-DBA0B8F18212"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Tue, 23 Jan 2018 19:56:36 +0200
In-Reply-To: <CY1PR05MB1867D823D8A05A0D92530830A1E30@CY1PR05MB1867.namprd05.prod.outlook.com>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
To: Shibu Piriyath <spiriyath@juniper.net>
References: <CY1PR05MB1867D823D8A05A0D92530830A1E30@CY1PR05MB1867.namprd05.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/6iSO5mtwQKmMhKf-2gxyk1OE284>
Subject: Re: [IPsec] Dynamic PMTUD over IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2018 17:56:43 -0000

> On 23 Jan 2018, at 12:29, Shibu Piriyath <spiriyath@juniper.net> wrote:
> 
> Hi All,
> 
> We have come up with a proposal for discovering Path MTU between IPsec head-ends dynamically using IKEv2 messages.
> Please review the draft - https://tools.ietf.org/html/draft-spiriyath-ipsecme-dynamic-ipsec-pmtu-00 <https://tools.ietf.org/html/draft-spiriyath-ipsecme-dynamic-ipsec-pmtu-00> and let us know your comments,
> 
> Thanks,
> Shibu.

Hi Shibu.

Thank you for working on this.  I have some comments.


Administrative/political: 
This document proposes an IPv4-only mechanism.  While the IETF has not (yet?) approved" [1] (see discussion threads [2] and [3]), there needs to be some justification for why we’re doing an IPv4-only mechanism.  Is this not a problem in IPv6 (Because we assume that PTB responses propagate correctly in the IPv6 network that in the IPv4 Internet routers routinely fragment) or is there some other mechanism for IPv6?


Terminology:
- I usually encounter the terms ingress and egress for interfaces of a particular router or host. I think it would be clearer to use “tunnel ingress” and “tunnel egress” or “encryptor” and “decryptor”
- "Overhead is the number of bytes required for tunnel encapsulation”. Overhead is then used as a number that is subtracted from physical MTU.  However, the overhead is not constant. IPsec requires padding to some multiple of 4, 8, or 16 depending on the algorithm.  I suggest modifying the definition of overhead to “Overhead is the *maximum* number of bytes required for tunnel encapsulation”
- "fragmentation within the tunnel is allowed” - this is about fragmenting an ESP packet that is too large. I don’t think “within the tunnel” is the best term for this. How about “fragmentation of the ESP packet by intermediate routers is allowed” ?




Technical:
                                                                If the
   packet length is greater than the tunnel MTU and the packet can be
   fragmented, the ingress node fragments the packet, encapsulates each
   fragment, and forwards each encapsulated fragment through the tunnel.

That’s one way of doing things. Another is to encapsulate the packet anyway and send the ESP packet out in fragments. This way is also compatible with IPv6.  I know of at least one implementation that does this.


There is an assumption that the egress node knows about the fragmentation. Usually some layer in the stack will defragment before handing the IPsec stack a re-assembled IPsec packet to decrypt.  Maybe some implementations are more integrated and the IPsec stack has this information, but this assumption needs to be stated explicitly.


Some routers drop packets that are too big instead of fragmenting them. Of these, some send back the PTB and some don’t. An active PMTUD method (ingress sends dummy packets of various sizes and receives acknowledgements from egress if they arrive) can work with such intermediate routers. This method cannot.


How do you prevent the following attack? The attacker manages to drop or delay one ESP packet. It captures this packet and retransmits it in small fragments. This induces the egress to send the notification from section 3.2 to the ingress, causing it to internally fragment all future packets.

Yoav

[1] https://tools.ietf.org/html/draft-ietf-sunset4-ipv6-ietf-01
[2] https://www.ietf.org/mail-archive/web/ietf/current/msg104661.html
[3] https://www.ietf.org/mail-archive/web/ietf/current/msg104721.html

v2.23.0 | Report a Bug | By Email