IETF Logo Mail Archive

Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review

Daniel Migault <mglt.ietf@gmail.com> Mon, 31 October 2022 16:03 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23654C1522B4 for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 09:03:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aeikQjuLTECT for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 09:03:24 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88CFDC152599 for <ipsec@ietf.org>; Mon, 31 Oct 2022 09:03:24 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id r81so1416961iod.2 for <ipsec@ietf.org>; Mon, 31 Oct 2022 09:03:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=pUx88loEBSe7tuGcwacBD+7PJj4+z91g5yBh5PtdsEQ=; b=bkvbGlhv7mcbzDwImad2xnUGhfqJjT3uysic+dM88Dy4/XGm/PfW5l5UJVToovtFRE b9OjEJVNOoerNqG11GcwDNYOq3WnWwUl26npnXB+xlejwq7HWZLKQzSu0HPdw9i09myf GqDy9plxC1DJt9/2I9qjI7vQ2PqWU7ZNY2DhrapWsgVlwIgI0EQwBBtbhbI6HdoY5GUv SVdSxRw6SWxQNWKWOX8ooMUDq7PnoCKrgh1oBSnc+aMha8Fm9W5FQvHzJoryRdwNkLaq XLkEJbkUBln/qiEG/khdqfAEzxgpYEaO3Rsr5cTcPph73BKnYZs/Ys2srIMeJ3tEWhHC 3A3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=pUx88loEBSe7tuGcwacBD+7PJj4+z91g5yBh5PtdsEQ=; b=TG9X2b7PXWTcXxuJmdgdll2JuQh/JMd5FSgQ/GH0sXEfwCxk6qbzv/xG8cc/KR6ulB E5Umn+Nwjut87GA4o6iC/JQ8znlGNUqtDC2z7sl6KA6Ny57gpl48+9LjeKeI9hEZC0xz 5CtvONr6AJb1OYhPS1J/VbH1vj7mMVevjRYIt5xlmAmDyH80KBWcdN4rBzKZWBJQux4g mcpF9Owg5yxnIuGdfaHVZnFQbj56gO7R8bO10zEaQOC/CtFMUBj5nv9Cj4+bl4a1KMsj CaWh6Lsppril2S+lrP+6BffJeKr4TSSWF10y9nW2i8b8F9rnW/yhgqng8rpEcVbHHkSR zrfg==
X-Gm-Message-State: ACrzQf3Xi/R6gxc/ExsE2TMovtUBlVz0l83gkFbQ+SFxnPqHyWh+yhQH vHvvpQnFid5vjmb/OZ3YzpT7Jb0JSh17mFtICyNvdhNdJCU=
X-Google-Smtp-Source: AMsMyM5qdPvnR1kZaEPPk2Lpw/5lcbEybYd2s6Ds4RoqdFp5c2ZRftyQWO4B+jW+xvxDxp1s8CrCcKrM2mOkllPGmf8=
X-Received: by 2002:a05:6638:3709:b0:363:ef4b:280b with SMTP id k9-20020a056638370900b00363ef4b280bmr7836035jav.84.1667232203600; Mon, 31 Oct 2022 09:03:23 -0700 (PDT)
MIME-Version: 1.0
References: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com> <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com> <2FFA31D7-8E7D-48DB-A3BC-DDA3EB2ECCE2@strayalpha.com> <25439.44817.648153.317135@fireball.acr.fi> <410257.1667230617@dyas>
In-Reply-To: <410257.1667230617@dyas>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 31 Oct 2022 12:03:12 -0400
Message-ID: <CADZyTk=g_fdeA+ORzPVmcYjyPxxt_idWoVsa29NRR6fuJunswg@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
Content-Type: multipart/alternative; boundary="00000000000040faea05ec56bfac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/RiO5s4JvTGlE-ETqXZTT82NcmFM>
Subject: Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2022 16:03:25 -0000

I think Michael is correct. The problem comes from the fragmentation of the
outer IPv4 packet. The inner packet might be IPv4 or IPv6 and the
security gateway may use any possible means to ask the nodes to adjust
their MTU. Currently we suggest using ICMP PTB, but if  RFC9268 also
provides some means to do it, we do not want to prevent using it. We
currently believe that this may be up to the gateway to decide what to do,
so we do not necessarily require any use mechanism to be normative - but
that point may evolve depending on what the WG decides.

Yours,
Daniel

On Mon, Oct 31, 2022 at 11:37 AM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Tero Kivinen <kivinen@iki.fi> wrote:
>     > My understanding is that this draft (which I have not yet properly
>     > read) is solving the situation where the tunnel does not get ICMP PTB
>     > messages as they are forwarding packets with DF bit set to 0, and
> then
>     > the receiving end will see extra fragmentation happening for the
>     > packets. Then the receiving end will simulate the ICMP PTB by sending
>     > authenticated IKEv2 notification that tells the sending end that his
>     > packets got fragmented.
>
> While I think that the authors think they are solving this problem, I think
> that what they have created is a protocol for dealing with fragmentation
> beyond the far gateway.
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
>
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email