IETF Logo Mail Archive

Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review

Daniel Migault <mglt.ietf@gmail.com> Fri, 13 January 2023 22:12 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AA40C1522DD for <ipsec@ietfa.amsl.com>; Fri, 13 Jan 2023 14:12:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KmqoAiWcXlDo for <ipsec@ietfa.amsl.com>; Fri, 13 Jan 2023 14:12:22 -0800 (PST)
Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 469BDC15152E for <ipsec@ietf.org>; Fri, 13 Jan 2023 14:12:22 -0800 (PST)
Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-4d59d518505so134839777b3.1 for <ipsec@ietf.org>; Fri, 13 Jan 2023 14:12:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=oVEfsZNkXiSkuyODVQS3htcFMrawLp9uqD/yS5E+gP4=; b=BCoc/xfQdn4bsQU0i7MBXQ8XrDBVuFc04dEoMXlNi0u3WFkPIkEFQDIOhejIwLfr79 VaauMFhs1XX4Zi2ZwegBN1Rkd/EdkmyeIRljEKFC5GKHK/5BzikFnHKNKEA9ZKCacSiE gsH60PYFnYr03rJrgf/imQ0HVpLeDQoKwWhBw4JSU7qQuonfzlNm+1w0c6dSpkUjeQLR 6AAqR6OMXRrgTJmLjkD3ujCym6LKy972/ukEjrEhMHtrH+7b5Z/oKMRr1rlXCmWigzL8 8xx33aXXst6z0EZ1tAgQJSLs19PFyMq3/2HF973Nh6P/fRrf9WJGZy19iifZCt8T+BsX 3N8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oVEfsZNkXiSkuyODVQS3htcFMrawLp9uqD/yS5E+gP4=; b=Cdd7Cg+kJQgCh/yxBqWEfE+p/hizRmfH9qL0O37ktoU5QVBEYIF5bm3OTo7Jddxh02 Z8rUj0nvXShZY7+mINNWBUgCBLyl9UKgEAZMv/+tUgsb+5kMNTbMw8NiyLm/nWubx3gz wiFOt9lPZEVx2I8KIiPQ5LMWf83ETx3XwUIMc0gcvySMqYcdkxwILHM/5tq4oCsCZ5Lg uzF1WXOXMiRCwbhSgqF6/cXjgmCHhYR5G0VfecKxjlY8a4Z4sQ9M7z25Kw1++2xD5Grg TER/hL2aa4vZZnKh1c8jl4YO/WwXDYUcxFl6pvsICx15OzGgqvz7SuTbvbUBiIj6zoYd lrfg==
X-Gm-Message-State: AFqh2kokYMWxK/dDwhuSoNaylaOPwYer93gobGtHWjRB2kq3SA+yXAQo hqXMs61FM5LgAz5Ms4G9bkHbHsDoPRFcfMd+0Hc=
X-Google-Smtp-Source: AMrXdXsM95E1hXK4jy/x/mXjtBppzfiHw8O66997gADxXXy7UoKtdjzhEShkwaLehi4QF1iCZohwKXyhden2j4lVtd4=
X-Received: by 2002:a81:1e92:0:b0:360:7f0a:1620 with SMTP id e140-20020a811e92000000b003607f0a1620mr3849327ywe.192.1673647941048; Fri, 13 Jan 2023 14:12:21 -0800 (PST)
MIME-Version: 1.0
References: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com> <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com> <2FFA31D7-8E7D-48DB-A3BC-DDA3EB2ECCE2@strayalpha.com> <25439.44817.648153.317135@fireball.acr.fi> <BFCDB8B9-8386-47D3-B2EA-3679D63D353B@strayalpha.com> <CADZyTkkAH87urhD9E_3bE3K9=-Xcv7q0h-dC7RoDcs_fiYcACw@mail.gmail.com> <231766BD-0511-4C8E-AC75-5DBCB58105C5@strayalpha.com> <CADZyTk=qYNqX+oyUKxn5AV-0UmkwQLqtO1bWAOUiD6jDQmbS0w@mail.gmail.com> <8F02DADA-F86D-42B2-8835-9F1EAABBBAF6@strayalpha.com> <CADZyTkkFEBEdKFYKqAmTKKg68xbmAH3yNH3_JJLpUUDYuhoKDQ@mail.gmail.com> <CADZyTkmf1UYVJ+wJ4DSbYygrpDfU2UyQ7Xq_RZ=C4LQMsy_22Q@mail.gmail.com> <A8146A62-ED80-4D82-AF26-99DC3392DA12@strayalpha.com>
In-Reply-To: <A8146A62-ED80-4D82-AF26-99DC3392DA12@strayalpha.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Fri, 13 Jan 2023 17:12:09 -0500
Message-ID: <CADZyTk=t7GtYevZ9qbvgidhtjRsOdQoPcHbAGFj=4zRL4rzpxQ@mail.gmail.com>
To: "touch@strayalpha.com" <touch@strayalpha.com>
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
Content-Type: multipart/alternative; boundary="000000000000015ea405f22c871e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Mhy-uoe3HNf2ie1kD1kXizCTS90>
Subject: Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2023 22:12:26 -0000

Hi Joe,

Thanks for the comment. There are some terminologies we were not using
properly, so thank you for the clarification. Please find inline our
clarification and implementation of your concerns.

Yours,
Daniel

On Sun, Jan 8, 2023 at 11:45 AM touch@strayalpha.com <touch@strayalpha.com>
wrote:

> Hi, Daniel,
>
> The abstract clearly states a goal that is not achievable (of avoiding
> reassembly). The best way to avoid the impact of mid-tunnel fragmentation
> is to use IPv4 as a tunnel header the way that IPv6 would be - with DF=1.
> However, even so, the egress always needs to handle reasssembly as long as
> there is even source fragmentation.
>

I understand the comment as our goal is interpreted to avoid
reassembling operations to happen completely. This would mean that
reassembly could even not be implemented.
This is not our intention. Reassembly happens the same way it happens
today. The only thing we do is that the egress node notify the ingress node
that reassembly is happening. The ingress node may or may not take any
action to prevent reassembly to happen with the next packets being tunneled
over the IPsec tunnel. In that sense "avoid" needs to be understood as
reducing the number of occurrences the reassembly operation happens.

We may agree the best way to avoid mid tunnel fragmentation is to set DF=1.
But in our case we cannot meet this condition.
The current text in the abstract is

OLD:
This document considers an ingress and an egress security gateway connected
over an IPv4 network.
The Tunnel Link Packet have their Don't Fragment (DF) set to 0.

Does the text below is clearer to say:

NEW:
This document considers an ingress and an egress security gateway connected
over a IPv4 network with the Tunnel Link Packet Don't Fragment (DF) set to
0.

The introduction mentions the rationals on why we cannot rely on setting
DF=1. Typically some routers do not check the MTU and ignore the packet
without returning a ICMP PTB error and in many deployments the ICMP PTB -if
sent - is blocked and is not received. This prohibits the use of DF=1 with
IPv4.



>
> I appreciate what you WANT to do - but again, it is not possible. You have
> two behaviors - either use inner fragmentation (which won’t work for
> transit traffic where IPv4 DF=1 or any IPv6) or reduce the tunnel MTU.
>
> But the tunnel MTU is defined by EMTU_R of the tunnel egress, not EMTU_S
> of the tunnel ingress. If you reduce the tunnel MTU, you’re just going to
> end up black-holing packets arriving at the tunnel ingress.
>
>  ok. I misunderstood tunnel MTU and that tunnel MTU is EMTU_R, this is not
what we are changing. What we had written might be confusing.
When I said EMTU_R I was considering the router only without any
consideration of the tunnel.  From the terminology section of
intarea-tunnel I did not read EMTU_R applies to a tunnel environment, and
considered this to be the MTU associated to the interface for incoming
packet to the router.

Here is what we actually meant:


We are ensuring that packet that are encapsulated by the Ingress interface
do not exceed the tunnel MAP.  My understanding is  that the tunnel MAP is
the largest IP packet the source can send,  that will not be fragmented by
the network between the Ingress and egress interface. As it is not
fragmented, fragments will not be reassembled.

To do so, we set the MTU of the router associated with the Ingress
interface is set to the tunnel MAP. This corresponds to set tunMTU =tunMAP
Figure 11 of intarea.

Suppose an IP packet is sent by the source and meets that router.
* The packet has DF=1. If it is larger than that MTU (= tunMAP), the packet
is discarded and an ICMP PTB message is sent back to the source. The source
will proceed to source fragmentation.

* The packet has DF=0.  that is larger than that MTU the router fragments
it in fragments less than tunMAP thus performing inner fragmentation.

* Any packet smaller than the MTU = tunMAP is sent to the ingress interface
and encapsulated.


I agree that we MUST ensure that ICMP PTB messages are received by the
source and lead to source fragmentation otherwise, this will result in
black holding traffic between the tunnel MAP and the original MTU of the
router.

Note that by setting DF=1 you are supposed to be able to handle this kind
of situation. So I do not see this as a major issue.

Two important points: the tunnel ingress is NOT the one that should ever
> send PTB back; that’s the job of the router where/if that tunnel ingress
> resides; second, you cannot claim to get around an ICMP black hole
> situation by creating a new ICMP black hole situation.
>
> With the mechanism we clarified, the ICMP PTB is sent by the router where
the ingress interface is.
Regarding the blackholing situation, in the first case, it results from the
transit network which is out of the control of the administrator of the
source. On the other hand, the administrator of the source is able to
ensure that ICMP packet sent by the ingress router will be received by the
source. This only happens when DF=1 which supposes that MTU can be handled
as well as source fragmentation.



> The rest of the document is rife with further errors, e.g.:
>
> The last sentence of the abstract is incomprehensible.
>
>  The last sentence of the abstract is:

"""
The ingress security gateway is expected to either perform (when possible)
Inner Fragmentation of to update Tunnel MTU.
"""
is the wording below clearer ?
"""
The ingress security gateway is expected to either use inner fragmentation
 or consider the tunnel MAP as its  tunnel MTU.
"""
>
> In the intro, the claims about IPv4 ID are incorrect. As noted in RFC6864,
> speed is not the issue but rather the expected reordering. Additionally,
> there’s already a timeout, so there is no requirement for indefinitely kept
> state. Further, given source fragmentation, such issues are irrelevant.
>
>
We mention high rates as ID collision requires a number of packets. Let
say, a link with 3 packets is very unlikely to result in an ID collision.
draft-ietf-intarea-tunnels in section 4.1.4 mentions high speed nodes as
well, so it is unclear what is wrong in our formulation below - but I
remain open to a clearer one.

"""
Then, as detailed in {{?RFC4963}}, {{!RFC6864}} or {{!RFC8900}}, the 16-bit
IPv4 identification field is not large enough to prevent duplication making
fragmentation not sufficiently robust at high data rates.
"""

DF=1 leads to black holing ONLY in the absence of PLPMTUD, which is the
> appropriate solution for IPsec tunnels anyway.
>
Again we are not considering the case where DF=1. Even though we were
considering DF=1, I am inclined that IPsec does not have  PLPMTUD which
seems to indicate that DF=1 is subject to blackholing.
As far as I know there is no PLPMTUD defined for IPsec. The only document I
found was the following one:
https://www.ietf.org/archive/id/draft-spiriyath-ipsecme-dynamic-ipsec-pmtu-01.txt

That said, with IPsec IKEv2 and ESP may take different paths so having
a  PLPMTUD is likely to impact ESP and IKEv2. In addition, we are concerned
not by the MTU but the tunMAP.
In our case, we simply define a notification for IKEv2, which seems way
more simpler.

On the other hand, tunnel MTU does not prevent reassembly to occur.
It is correct that in addition to tunMAP we may also provide tunMTU to
prevent blackholing from happening at the egress gateway. The ingress node
will then be able to distinguish if the packet is discarded or fragmented.

Note that even if DF=0, black-holing could still occur if the Tunnel
> Transit packet exceeds the tunnel egress EMTU_R.
>
> The notification may look like:
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Link Path Maximum Atomic Packet Value               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        EMTU_R                                 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

> Joe
>
> —
> Dr. Joe Touch, temporal epistemologist
> www.strayalpha.com
>
> On Jan 4, 2023, at 7:21 PM, Daniel Migault <mglt.ietf@gmail.com> wrote:
>
> Hi Joe,
>
> We are waiting for your feedback, but I just want to check we have the
> same understanding and that we will have a feed back.
>
> We would like to understand if the terminology used in the document is
> aligned with the one of intarea-tunnels and if we agree that
> intarea-tunnels and IPsec have different perspectives on
> handling fragmentation. I do not see what we are proposing very different
> from what IPsec has been doing for years.
>
> I also think that everything is explained in the introduction (2 text
> pages), so you do not have to read the full document. The document is
> available here:
> https://datatracker.ietf.org/doc/draft-liu-ipsecme-ikev2-mtu-dect/
>
> Yours,
> Daniel
>
> On Sat, Nov 26, 2022 at 9:25 AM Daniel Migault <mglt.ietf@gmail.com>
> wrote:
>
>> Hi Joe,
>>
>> So  we just published an update of our draft. We try to catch up the
>> complete idea in the introduction - to avoid reading the complete draft. I
>> think we partly aligned with the tunnel document. The current version only
>> describe the security gateway as a node and does not split it between a
>> outer and an interface. I think for the remaining of the document we are
>> taking the exact terminology from the tunnel draft.
>>
>> We believe that IKEv2 and the tunnel document have different visions and
>> tried to highlight this also.
>>
>> One big clarification in my point of view is that the previous version
>> confused MTU with MAP.
>>
>> We are happy to get your feedback.
>>
>> Yours,
>> Daniel
>>
>> On Mon, Oct 31, 2022 at 5:32 PM touch@strayalpha.com <
>> touch@strayalpha.com> wrote:
>>
>>> On Oct 31, 2022, at 11:07 AM, Daniel Migault <mglt.ietf@gmail.com>
>>> wrote:
>>>
>>>
>>> - the tunnel has two DIFFERENT relevant MTUs
>>>> the egress reassembly MTU (EMTU_R), which is the only thing that should
>>>> drive the “tunnel MTU”
>>>>
>>>> the tunnel MTU, which the ingress needs to know for source
>>>> fragmentation, but is NOT relevant to the
>>>> origin MTU upstream of the ingress
>>>>
>>>> Will read the draft - but we believe that is better to generate one
>>> IPsec packet for every inner IP packet as opposed to two. This is why we
>>> are proposing to adjust the MTU so the outer packet matches the limit of
>>> the EMTU_R - and fragmentation be avoided.
>>>
>>>
>>> That doc explains why this is effort isn’t useful. As I noted to Tero,
>>> there’s no ICMP message that says “bigger than I’d like”. PTB means
>>> “packets larger than this will be dropped”. That’s not what’s going on
>>> here, so it’s the wrong message to support.
>>>
>>> There is no message that supports what you’re trying to do - perhaps
>>> because there can’t and shouldn’t be.
>>>
>>> Joe
>>>
>>
>>
>> --
>> Daniel Migault
>> Ericsson
>>
>
>
> --
> Daniel Migault
> Ericsson
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
>
>

-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email