IETF Logo Mail Archive

Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review

Daniel Migault <mglt.ietf@gmail.com> Mon, 31 October 2022 01:33 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C865C14F720 for <ipsec@ietfa.amsl.com>; Sun, 30 Oct 2022 18:33:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id maeTmX1FyTIH for <ipsec@ietfa.amsl.com>; Sun, 30 Oct 2022 18:33:30 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95BC5C14F693 for <ipsec@ietf.org>; Sun, 30 Oct 2022 18:33:30 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id p184so8738701iof.11 for <ipsec@ietf.org>; Sun, 30 Oct 2022 18:33:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=aRJIU1gSst2bkZFDzVXxBDh1Bx115pKn9vn7cV0JFHg=; b=ayUrLEYACDmT2Z2mte05AYYv744JkvbS2k6BkK4bTccA1/Q4tM57nR0UzCvtkmR2ZW 3LUDc53YsePpHnmpWnwcla0iL6o5rKGTiDogpoAJaMx5qVk1kqv5SW/9a/yT181jVhhv MuXCzBfEWaMy5K1j/3VeH9Iai0CDxgmHHdrC29KS4udTwS7dNC8iMqDaTshv9ErA00L5 ESDAWQzmUqZiHEtOQHF5vGD44oNuTLnTrWmTYvph/hXNV9w6jKT7xaQIDqUib1j8/lK2 WQP6kxOh/D2fJs8LgYsepmxXjFJRL+oAg1x+bD5KEeHnXmejiRhKYdE33y3jCJYUIb0I BeVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=aRJIU1gSst2bkZFDzVXxBDh1Bx115pKn9vn7cV0JFHg=; b=6KtCNt4HOV5zDTgpF0D0rVMEyUKmuEU3vzw6kSUu/2iG8nDNREJeXuoW/OsNnBCWgo gTF2g+9ptwo8vmFeyBGlW8RzEUuJtdIjgk/R1bL/RBQDsBJndZOycNz3EV8P4xFOUwAp Ggk4/5ren6wl04gjr7iV0P4iGSrZJgQ4cwfNqoMN+jRPU+CFBtlfs0wLEbuVw9H/aFYf OvPQxL/AWQ5nA9dmaV0ed39OVEl3u2DXu4OQaPqYJ13QXdEcICIcxlyFFK6PXolJ3vSc uom9deBaFd3nymmjWLvrhGfhDT4xTgbd6k9D6D4LsXvN0qasXbeQTUMJ9Hc8i0hVUrTo zDpQ==
X-Gm-Message-State: ACrzQf0zGydiO5wN3rHGrP1N86QBWXwV/ORIozUtCxHZRkHwtEnaKO3d WKaM3aOcM7nCy/cMzyBD8Ls0/vGRwWpyQ3N0ljlnmYLoH8c=
X-Google-Smtp-Source: AMsMyM6xdKdDiAGmM3l/n4j/wMj4hNrdFp7iJaZVaiqpSzHqtWZVahFbhIc2yjsVXxdtg/7nbPVM9v6yVJC34s9/IMI=
X-Received: by 2002:a05:6638:2488:b0:375:aa4:885 with SMTP id x8-20020a056638248800b003750aa40885mr6032870jat.160.1667180008041; Sun, 30 Oct 2022 18:33:28 -0700 (PDT)
MIME-Version: 1.0
References: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com>
In-Reply-To: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Sun, 30 Oct 2022 21:33:17 -0400
Message-ID: <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com>
To: "touch@strayalpha.com" <touch@strayalpha.com>
Cc: ipsec@ietf.org
Content-Type: multipart/alternative; boundary="00000000000027ef1605ec4a9811"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/RS-cEXEv2X7FsIpnMZl6Emeeysk>
Subject: Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2022 01:33:35 -0000

Thanks Joe for the feedback. I responded inline to your questions.

To the main question: what is this a solution for ? It is a solution to
avoid an ingress security gateway to become overloaded by de-fragmenting
packets. The main idea is that the ingress security gateway informs the
egress security gateway that fragmentation is occurring  with an indication
of the maximum size of the packet. In the best case scenario, the security
gateway informs the source node to reduce the size of the inner packet with
an ICP PTB packet for example.

I do believe that the communication between the ingress and egress security
gateway is in scope of IPsec. My perception is that it is an ICMP PTB with
the assurance the message is received. What I think you mean is outside the
scope of IPsec is sending an ICMP PTB message (in the case of a remote
node) or changing the MTU directly in the case the source node and security
gateway are the same entity. What is unclear to me is whether the current
design violates anything or why it wouldn't work.

Then, do you have any recommendations to achieve what we are trying to
achieve ?

Yours,
Daniel








On Sun, Oct 30, 2022 at 6:04 PM touch@strayalpha.com <touch@strayalpha.com>
wrote:

> There are some issues with the doc:
> - abstract has a typo, doc uses ’node’ where it should use ‘router’ for
> on-path frag, etc
>
easy to fix.

> - discussion should to be more specific with respect to RFCs 1122, 792,
> and 4821
>
Apart from 1122, we have all these references. If you still have in mind
what needs to be more specific that would help. From the text below, it
seems the use of egress / ingress should be used as opposed to upstream,
downstream. Is that what you mean ?

> - the overall problem is assumed but never clearly defined
>
> In the intro we have the following text that intends to capture that
we are willing to avoid reassembling.

  IPv4 packets are often fragmentable with
   their DF bit set to 0.  In this case, as described in [RFC0792], when
   a packet size exceeds its MTU, the node fragments the incoming packet
   in multiple fragments.  The inconvenient is that the receiving
   security gateway will have to re-assembled the multiple fragments to
   rebuilt an ESP packet before being able to apply the IPsec
   decapsulation.


I agree with Michael Richardson’s post of 8-16-22 on a few points:
> 1) it is premature for a TSV ART review of this document
> I’m not actually sure that TSV review is relevant, as tunneling is more an
> INTDIR issue (on which I do not sit),
> though I’m probably at least as appropriate a reviewer on tunnel issues
>
This is a chicken and egg issue. We do not want to design/discuss a
solution within the ipsecme WG without some feedback  that what we are
doing will not be opposed by the transport area.

> 2) this discussion is confusing as to both aspects and terminology of
> tunneling
> I encourage those interested review draft-intarea-tunnels - while expired
> (I’m getting back to it), it remains definitive in the IETF AFAICT
>
> The stated point of this work, rephrased, is to have the IPsec tunnel
> egress tell the IPsec tunnel ingress that the (next hop) link MTU out of
> the egress (i.e., after traffic exits the tunnel) is too small for the
> packets the egress node tries to forward.
>
Correct.

>
> So it tells the tunnel ingress that the egress link MTU is too small. But
> that MTU is of the origin packet (not the tunnel packet, which includes the
> source packet as a paylaad), which the tunnel ingress has no control over.
>
> My understanding is that you are saying the outer packet size is defined
by the inner packet size, so the reduction of the packet size needs to be
implemented by the source of the inner packet, and there is actually little
the IPsec egress tunnel security gateway can do.
If that is correct, I do agree that that information should be relayed to
the source node of the inner packet, but I believe this is what
we mentioned and section 4.2 lists 3 ways to handle this.
1) The IPsec egress tunnel security gateway can inform the source of the
inner packet to reduce its MTU with ICMP PTB. That inner MTU is derived
from the outer MTU.
2) The IPsec egress tunnel security gateway may perform the fragmentation
of the inner packet.
3) The IPsec egress tunnel security gateway may fragment itself the outer
packet.

I.e., this isn’t a signal from the egress to the ingress about the tunnel
> (path) MTU.
>
isn't it from ingress to egress ? Currently, in our proposal the IPsec
ingress security gateway is returning 2 type of information to the IPsec
egress security gateway:
* the fact that the outer IP packet is fragmented
* the value of the outer MTU.
As far as I understand, you seem to say this is not a signal related to the
inner communication (that is inside the tunnel). I tend to agree, but I
also do not see that information completely uncorrelated and we expect the
security gateway to "translate" that information to the source of the inner
packet. A huge advantage of such information is that it is being
transmitted by the ingress IPsec security gateway to the IPsec egress
security gateway over a secure channel. In our opinion this adds at least
some value over the ICMP PTB.In terms of information I tend to agree that
this information is similar except that that information can be assumed to
be received by the other security gateway.

Even if it were, then the tunnel ingress would be sending more fragments
> (at the tunnel ingress by source-fragmented at the outer header); it can’t
> change the MTU of the origin packets it happens to receive — that happens
> at the packet origin, which can be upstream of the ingress, or at a minimum
> is outside the scope of IPsec (even if the ingress and packet origin are a
> the same node).
>
> I do see two aspects. On that one security gateway provides some
information regarding its processing related to IPsec. At the very least
informing the egress security gateway that it straffic is causing a DDoS
seems in scope.
Now, it is also correct that providing such information if no action can be
taken is not very useful. In our case, we do mention some actions that can
be taken and one of these actions is that the security gateway sends an
ICMP PTB message. It is unclear to me if that is what you are mentioning as
out of scope of IPsec. I see this as similar to a router that needs to
fragment and sends to the source an ICMP PTB packet.


> What exactly is this a solution for?
>
The solution is to avoid the receiving gateway to re-fragment.

>
> Joe
> —
> Dr. Joe Touch, temporal epistemologist
> www.strayalpha.com
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email