Re: [IPsec] Dynamic PMTUD over IKEv2
Dan Wing <danwing@gmail.com> Tue, 23 January 2018 21:04 UTC
Return-Path: <danwing@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DF0712AF83 for <ipsec@ietfa.amsl.com>; Tue, 23 Jan 2018 13:04:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YxDPN-rCBATU for <ipsec@ietfa.amsl.com>; Tue, 23 Jan 2018 13:04:40 -0800 (PST)
Received: from mail-pg0-x234.google.com (mail-pg0-x234.google.com [IPv6:2607:f8b0:400e:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C18FF12D7F3 for <ipsec@ietf.org>; Tue, 23 Jan 2018 13:04:39 -0800 (PST)
Received: by mail-pg0-x234.google.com with SMTP id m136so1127305pga.12 for <ipsec@ietf.org>; Tue, 23 Jan 2018 13:04:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HPBAn6/4CveDP6UfsJL44d/ytsf38eAFF2aPrycNKbA=; b=gtJN6rK93yABgSSF1yJHn6mwHq+my6zZquqGDNTHnWOXItDM0kBTgOH1EAvw6pc32X MRMc046/0ZTFOOb2WJj1zoZa32G4ksRQrv9Gwa4fTQXs0GhXUdnqvXM7Ovho6AeiTR0Z Bfky0z8qbGVeiO35190VxpPSbZECZyxj3A0MeJrDvKUXokzxTiio0+GWnTQM6xztTbZo R5QlmpMhZW1SYc4TMhY5V54SeDoMrw2d2dWJsbBoi14vFLiXzSEZs9IJGCZHi+exRXM9 OADvc2p5F6DpRd+U0zx/QwVT9LH7r3fiAwwjGkEZFTjFd+7+7/3cY6AQzDqsQjdxg9WH kJIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HPBAn6/4CveDP6UfsJL44d/ytsf38eAFF2aPrycNKbA=; b=muOU4P0kjZaQVmzEyEhOzOSYaFet5+DNBvIEBk7CGU2AJyMLDHGozy4XNgiQkigg0k gdSkEaQPAUXZOJb30rtjZsNC/FOnnUQpzEjaTv7ntv6hy+ZzYqKpipiCHUNvTQVTOgF0 ZTZYwXJoT9joBAYiyxNZbnhSvGR+sOAPPhKIPwZOnJH05Wz4O39KJQd1DyITaGgQhd11 UPBVNvsHiFJkHoW13/CG7szShGrzSCqBmfIUWfePCy/LsjBlfrOliHlj4br8ffK5LS1Y JJV+JMmcI29uTuQabcEDTbq+XJRRJiKQwqARkx/SiY2gHi4AqxDuG+UwV7yxkaq7got6 n8og==
X-Gm-Message-State: AKwxytcv/cjhcTVziyh4AgqBdNo3s37zTFOWobEUw7qJSONJsEw9xum5 g5LPiXdvPlULXqG2SDzDG0E=
X-Google-Smtp-Source: AH8x224KEhBPO8DK//psN/arJsIWkkcNjoYOuHfJLikOAwlJTJEU8EQGq26ABLEq3tkptpC/DtfHcg==
X-Received: by 2002:a17:902:8487:: with SMTP id c7-v6mr6387082plo.410.1516741479240; Tue, 23 Jan 2018 13:04:39 -0800 (PST)
Received: from ?IPv6:2600:1010:b02e:b5be:754e:a3ae:abe5:1539? ([2600:1010:b02e:b5be:754e:a3ae:abe5:1539]) by smtp.gmail.com with ESMTPSA id r27sm5916270pfj.75.2018.01.23.13.04.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Jan 2018 13:04:37 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Dan Wing <danwing@gmail.com>
In-Reply-To: <9D48AC2A-32B8-42EF-B4DF-4825E4D75A32@gmail.com>
Date: Tue, 23 Jan 2018 13:04:30 -0800
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2064C97D-2E9A-4BEE-851B-5F91D0E08413@gmail.com>
References: <CY1PR05MB1867D823D8A05A0D92530830A1E30@CY1PR05MB1867.namprd05.prod.outlook.com> <9D48AC2A-32B8-42EF-B4DF-4825E4D75A32@gmail.com>
To: Shibu Piriyath <spiriyath@juniper.net>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Mw2hPjj1zxlfsvxm3b6y15HPS9c>
Subject: Re: [IPsec] Dynamic PMTUD over IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2018 21:04:42 -0000
> On Jan 23, 2018, at 9:56 AM, Yoav Nir <ynir.ietf@gmail.com> wrote: > > >> On 23 Jan 2018, at 12:29, Shibu Piriyath <spiriyath@juniper.net> wrote: >> >> Hi All, >> >> We have come up with a proposal for discovering Path MTU between IPsec head-ends dynamically using IKEv2 messages. >> Please review the draft - https://tools.ietf.org/html/draft-spiriyath-ipsecme-dynamic-ipsec-pmtu-00 and let us know your comments, >> >> Thanks, >> Shibu. > > Hi Shibu. > > Thank you for working on this. I have some comments. > > > Administrative/political: > This document proposes an IPv4-only mechanism. While the IETF has not (yet?) approved" [1] (see discussion threads [2] and [3]), there needs to be some justification for why we’re doing an IPv4-only mechanism. Is this not a problem in IPv6 (Because we assume that PTB responses propagate correctly in the IPv6 network that in the IPv4 Internet routers routinely fragment) or is there some other mechanism for IPv6? > > > Terminology: > - I usually encounter the terms ingress and egress for interfaces of a particular router or host. I think it would be clearer to use “tunnel ingress” and “tunnel egress” or “encryptor” and “decryptor” > - "Overhead is the number of bytes required for tunnel encapsulation”. Overhead is then used as a number that is subtracted from physical MTU. However, the overhead is not constant. IPsec requires padding to some multiple of 4, 8, or 16 depending on the algorithm. I suggest modifying the definition of overhead to “Overhead is the *maximum* number of bytes required for tunnel encapsulation” > - "fragmentation within the tunnel is allowed” - this is about fragmenting an ESP packet that is too large. I don’t think “within the tunnel” is the best term for this. How about “fragmentation of the ESP packet by intermediate routers is allowed” ? > > > > > Technical: > If the > packet length is greater than the tunnel MTU and the packet can be > fragmented, the ingress node fragments the packet, encapsulates each > fragment, and forwards each encapsulated fragment through the tunnel. > > > That’s one way of doing things. Another is to encapsulate the packet anyway and send the ESP packet out in fragments. This way is also compatible with IPv6. I know of at least one implementation that does this. > > > There is an assumption that the egress node knows about the fragmentation. Usually some layer in the stack will defragment before handing the IPsec stack a re-assembled IPsec packet to decrypt. Maybe some implementations are more integrated and the IPsec stack has this information, but this assumption needs to be stated explicitly. > > > Some routers drop packets that are too big instead of fragmenting them. Of these, some send back the PTB and some don’t. An active PMTUD method (ingress sends dummy packets of various sizes and receives acknowledgements from egress if they arrive) can work with such intermediate routers. Also known as PLPMTUD (packetization layer path MTU discovery), https://tools.ietf.org/html/rfc4821. Most similar to IKE is this presentation that describes PLPMTUD with STUN; IKE could do similar thing, https://www.ietf.org/proceedings/73/slides/behave-10.pdf. There is an RFC describing PLPMTUD for TCP, but I don't cite it because TCP. The I-D should also encourage re-setting the path MTU following the same plateau algorithm described in RFC1191, or explain why that algorithm is bad and instead the algorithm described in the I-D is superior (the I-D describes discarding the learned MTU and re-learning, from scratch). -d > This method cannot. > > > How do you prevent the following attack? The attacker manages to drop or delay one ESP packet. It captures this packet and retransmits it in small fragments. This induces the egress to send the notification from section 3.2 to the ingress, causing it to internally fragment all future packets. > > Yoav > > [1] https://tools.ietf.org/html/draft-ietf-sunset4-ipv6-ietf-01 > [2] https://www.ietf.org/mail-archive/web/ietf/current/msg104661.html > [3] https://www.ietf.org/mail-archive/web/ietf/current/msg104721.html > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Dynamic PMTUD over IKEv2 Shibu Piriyath
- Re: [IPsec] Dynamic PMTUD over IKEv2 Yoav Nir
- Re: [IPsec] Dynamic PMTUD over IKEv2 Dan Wing
- Re: [IPsec] Dynamic PMTUD over IKEv2 Joe Touch