Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
Daniel Migault <mglt.ietf@gmail.com> Mon, 31 October 2022 01:33 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C865C14F720 for <ipsec@ietfa.amsl.com>; Sun, 30 Oct 2022 18:33:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id maeTmX1FyTIH for <ipsec@ietfa.amsl.com>; Sun, 30 Oct 2022 18:33:30 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95BC5C14F693 for <ipsec@ietf.org>; Sun, 30 Oct 2022 18:33:30 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id p184so8738701iof.11 for <ipsec@ietf.org>; Sun, 30 Oct 2022 18:33:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=aRJIU1gSst2bkZFDzVXxBDh1Bx115pKn9vn7cV0JFHg=; b=ayUrLEYACDmT2Z2mte05AYYv744JkvbS2k6BkK4bTccA1/Q4tM57nR0UzCvtkmR2ZW 3LUDc53YsePpHnmpWnwcla0iL6o5rKGTiDogpoAJaMx5qVk1kqv5SW/9a/yT181jVhhv MuXCzBfEWaMy5K1j/3VeH9Iai0CDxgmHHdrC29KS4udTwS7dNC8iMqDaTshv9ErA00L5 ESDAWQzmUqZiHEtOQHF5vGD44oNuTLnTrWmTYvph/hXNV9w6jKT7xaQIDqUib1j8/lK2 WQP6kxOh/D2fJs8LgYsepmxXjFJRL+oAg1x+bD5KEeHnXmejiRhKYdE33y3jCJYUIb0I BeVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=aRJIU1gSst2bkZFDzVXxBDh1Bx115pKn9vn7cV0JFHg=; b=6KtCNt4HOV5zDTgpF0D0rVMEyUKmuEU3vzw6kSUu/2iG8nDNREJeXuoW/OsNnBCWgo gTF2g+9ptwo8vmFeyBGlW8RzEUuJtdIjgk/R1bL/RBQDsBJndZOycNz3EV8P4xFOUwAp Ggk4/5ren6wl04gjr7iV0P4iGSrZJgQ4cwfNqoMN+jRPU+CFBtlfs0wLEbuVw9H/aFYf OvPQxL/AWQ5nA9dmaV0ed39OVEl3u2DXu4OQaPqYJ13QXdEcICIcxlyFFK6PXolJ3vSc uom9deBaFd3nymmjWLvrhGfhDT4xTgbd6k9D6D4LsXvN0qasXbeQTUMJ9Hc8i0hVUrTo zDpQ==
X-Gm-Message-State: ACrzQf0zGydiO5wN3rHGrP1N86QBWXwV/ORIozUtCxHZRkHwtEnaKO3d WKaM3aOcM7nCy/cMzyBD8Ls0/vGRwWpyQ3N0ljlnmYLoH8c=
X-Google-Smtp-Source: AMsMyM6xdKdDiAGmM3l/n4j/wMj4hNrdFp7iJaZVaiqpSzHqtWZVahFbhIc2yjsVXxdtg/7nbPVM9v6yVJC34s9/IMI=
X-Received: by 2002:a05:6638:2488:b0:375:aa4:885 with SMTP id x8-20020a056638248800b003750aa40885mr6032870jat.160.1667180008041; Sun, 30 Oct 2022 18:33:28 -0700 (PDT)
MIME-Version: 1.0
References: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com>
In-Reply-To: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Sun, 30 Oct 2022 21:33:17 -0400
Message-ID: <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com>
To: "touch@strayalpha.com" <touch@strayalpha.com>
Cc: ipsec@ietf.org
Content-Type: multipart/alternative; boundary="00000000000027ef1605ec4a9811"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/RS-cEXEv2X7FsIpnMZl6Emeeysk>
Subject: Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2022 01:33:35 -0000
Thanks Joe for the feedback. I responded inline to your questions. To the main question: what is this a solution for ? It is a solution to avoid an ingress security gateway to become overloaded by de-fragmenting packets. The main idea is that the ingress security gateway informs the egress security gateway that fragmentation is occurring with an indication of the maximum size of the packet. In the best case scenario, the security gateway informs the source node to reduce the size of the inner packet with an ICP PTB packet for example. I do believe that the communication between the ingress and egress security gateway is in scope of IPsec. My perception is that it is an ICMP PTB with the assurance the message is received. What I think you mean is outside the scope of IPsec is sending an ICMP PTB message (in the case of a remote node) or changing the MTU directly in the case the source node and security gateway are the same entity. What is unclear to me is whether the current design violates anything or why it wouldn't work. Then, do you have any recommendations to achieve what we are trying to achieve ? Yours, Daniel On Sun, Oct 30, 2022 at 6:04 PM touch@strayalpha.com <touch@strayalpha.com> wrote: > There are some issues with the doc: > - abstract has a typo, doc uses ’node’ where it should use ‘router’ for > on-path frag, etc > easy to fix. > - discussion should to be more specific with respect to RFCs 1122, 792, > and 4821 > Apart from 1122, we have all these references. If you still have in mind what needs to be more specific that would help. From the text below, it seems the use of egress / ingress should be used as opposed to upstream, downstream. Is that what you mean ? > - the overall problem is assumed but never clearly defined > > In the intro we have the following text that intends to capture that we are willing to avoid reassembling. IPv4 packets are often fragmentable with their DF bit set to 0. In this case, as described in [RFC0792], when a packet size exceeds its MTU, the node fragments the incoming packet in multiple fragments. The inconvenient is that the receiving security gateway will have to re-assembled the multiple fragments to rebuilt an ESP packet before being able to apply the IPsec decapsulation. I agree with Michael Richardson’s post of 8-16-22 on a few points: > 1) it is premature for a TSV ART review of this document > I’m not actually sure that TSV review is relevant, as tunneling is more an > INTDIR issue (on which I do not sit), > though I’m probably at least as appropriate a reviewer on tunnel issues > This is a chicken and egg issue. We do not want to design/discuss a solution within the ipsecme WG without some feedback that what we are doing will not be opposed by the transport area. > 2) this discussion is confusing as to both aspects and terminology of > tunneling > I encourage those interested review draft-intarea-tunnels - while expired > (I’m getting back to it), it remains definitive in the IETF AFAICT > > The stated point of this work, rephrased, is to have the IPsec tunnel > egress tell the IPsec tunnel ingress that the (next hop) link MTU out of > the egress (i.e., after traffic exits the tunnel) is too small for the > packets the egress node tries to forward. > Correct. > > So it tells the tunnel ingress that the egress link MTU is too small. But > that MTU is of the origin packet (not the tunnel packet, which includes the > source packet as a paylaad), which the tunnel ingress has no control over. > > My understanding is that you are saying the outer packet size is defined by the inner packet size, so the reduction of the packet size needs to be implemented by the source of the inner packet, and there is actually little the IPsec egress tunnel security gateway can do. If that is correct, I do agree that that information should be relayed to the source node of the inner packet, but I believe this is what we mentioned and section 4.2 lists 3 ways to handle this. 1) The IPsec egress tunnel security gateway can inform the source of the inner packet to reduce its MTU with ICMP PTB. That inner MTU is derived from the outer MTU. 2) The IPsec egress tunnel security gateway may perform the fragmentation of the inner packet. 3) The IPsec egress tunnel security gateway may fragment itself the outer packet. I.e., this isn’t a signal from the egress to the ingress about the tunnel > (path) MTU. > isn't it from ingress to egress ? Currently, in our proposal the IPsec ingress security gateway is returning 2 type of information to the IPsec egress security gateway: * the fact that the outer IP packet is fragmented * the value of the outer MTU. As far as I understand, you seem to say this is not a signal related to the inner communication (that is inside the tunnel). I tend to agree, but I also do not see that information completely uncorrelated and we expect the security gateway to "translate" that information to the source of the inner packet. A huge advantage of such information is that it is being transmitted by the ingress IPsec security gateway to the IPsec egress security gateway over a secure channel. In our opinion this adds at least some value over the ICMP PTB.In terms of information I tend to agree that this information is similar except that that information can be assumed to be received by the other security gateway. Even if it were, then the tunnel ingress would be sending more fragments > (at the tunnel ingress by source-fragmented at the outer header); it can’t > change the MTU of the origin packets it happens to receive — that happens > at the packet origin, which can be upstream of the ingress, or at a minimum > is outside the scope of IPsec (even if the ingress and packet origin are a > the same node). > > I do see two aspects. On that one security gateway provides some information regarding its processing related to IPsec. At the very least informing the egress security gateway that it straffic is causing a DDoS seems in scope. Now, it is also correct that providing such information if no action can be taken is not very useful. In our case, we do mention some actions that can be taken and one of these actions is that the security gateway sends an ICMP PTB message. It is unclear to me if that is what you are mentioning as out of scope of IPsec. I see this as similar to a router that needs to fragment and sends to the source an ICMP PTB packet. > What exactly is this a solution for? > The solution is to avoid the receiving gateway to re-fragment. > > Joe > — > Dr. Joe Touch, temporal epistemologist > www.strayalpha.com > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > -- Daniel Migault Ericsson
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Tero Kivinen
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Michael Richardson
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Michael Richardson
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Joe Touch
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Tero Kivinen
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com