IETF Logo Mail Archive

Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review

Daniel Migault <mglt.ietf@gmail.com> Mon, 31 October 2022 18:07 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 107EDC1524DD for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 11:07:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yTz19KrWyKjn for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 11:07:44 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D378AC1522DC for <ipsec@ietf.org>; Mon, 31 Oct 2022 11:07:44 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id l127so10403540iof.12 for <ipsec@ietf.org>; Mon, 31 Oct 2022 11:07:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=HUdd/NQpPETPjDU4B6GqtBN7VF3vu6jGexRelK2gTFw=; b=RXQq59K5pQFz6IeVrw8pxP1Ez+cqkc95ubkrqEIpJL38AdUdoWeuXxYZ2he6jazkmQ Q7/IEfI/y4XBypiW2oJcgFPR3wLBfUgpk5IbvDnPx91BprIXAjSKTphVGfUj1GGmtWlP AUqAhVy5IQZ8vlisMXgm3dH7xYqJfk7FSVYDNcwgtaA9PhWEACLNWrPS7GUiQcdzYj/Q onv3YNE6GqgP95614YLDDaMW6f/kXq7Z2JU7KikEcaHlwiF5yWerz3PuAEFlwc8JpurX sYyjlP5BPId9qUg+8K4tgAWxd3nkF+CBvUWxubBJtO2zF12c2Xd99JnM9wyG6JIG0n7O j/3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HUdd/NQpPETPjDU4B6GqtBN7VF3vu6jGexRelK2gTFw=; b=insyxrj9tevf4RYnPgMex0tIMayZbeZwqAu+egMXWIDdHh14lOfUdK6m1qniZDR3WT h0Hey1i7JljyJzcnyx2W1OUQ7zH5XKpzpIC45RyuEz0YqYtISigWqLxufAsayClpjHdR XKp7MN6/5xJR0bHHEY0E+MGbMd/3Pqqia1DabrX6iZUa+Wo+MvJJrmKIRcTeaZVjIp9g d67fNSKO5PL3f7MiX7nHfG0z/0J3Of4G99WbouSeTsaoIrcNKNuo4PFi4zAuDFZ/dqmW oOMh3krf6aFXfX1O+06i1wGcbHgS3SrMGIItIT/qkXRUVijB34eN5HEsC876u7zUPVZh fcrg==
X-Gm-Message-State: ACrzQf2uhvLgaGuaOgTLCGWBKAe5bjx9TIYdMH2jdw4XCnmkdPBpQBek HXy6nbGwWW9OKCTM51u67Tv6Oi9SmW9Whrs3cOE=
X-Google-Smtp-Source: AMsMyM5vHV3MoPRIDaLlNg2uI1J0A5CaMQElF3eBmtJgET3aEYUzjCziqG9uPet2BCtQ2vydNSFuNgRD+mwF3ee7rE4=
X-Received: by 2002:a02:bb87:0:b0:371:7997:3319 with SMTP id g7-20020a02bb87000000b0037179973319mr8074745jan.139.1667239663504; Mon, 31 Oct 2022 11:07:43 -0700 (PDT)
MIME-Version: 1.0
References: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com> <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com> <2FFA31D7-8E7D-48DB-A3BC-DDA3EB2ECCE2@strayalpha.com> <25439.44817.648153.317135@fireball.acr.fi> <BFCDB8B9-8386-47D3-B2EA-3679D63D353B@strayalpha.com> <CADZyTkkAH87urhD9E_3bE3K9=-Xcv7q0h-dC7RoDcs_fiYcACw@mail.gmail.com> <231766BD-0511-4C8E-AC75-5DBCB58105C5@strayalpha.com>
In-Reply-To: <231766BD-0511-4C8E-AC75-5DBCB58105C5@strayalpha.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 31 Oct 2022 14:07:32 -0400
Message-ID: <CADZyTk=qYNqX+oyUKxn5AV-0UmkwQLqtO1bWAOUiD6jDQmbS0w@mail.gmail.com>
To: "touch@strayalpha.com" <touch@strayalpha.com>
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e6148105ec587b7d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/STDErHL-R0R83AFeM_mRDjSLKig>
Subject: Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2022 18:07:47 -0000

Hi,

see below some clarifications.
On Mon, Oct 31, 2022 at 12:18 PM touch@strayalpha.com <touch@strayalpha.com>
wrote:

> See below in-line.
>
> On Oct 31, 2022, at 8:53 AM, Daniel Migault <mglt.ietf@gmail.com> wrote:
>
>
>
> On Mon, Oct 31, 2022 at 11:25 AM touch@strayalpha.com <
> touch@strayalpha.com> wrote:
>
>> HI, Tero, et al,,
>>
>> Thanks for the clarification; I now understand that what you really are
>> seeking is PLPMTUD for IPsec, but somehow using on-path fragmentation as a
>> signal. That’s a mistake, IMO, largely because it serves only IPv4.
>>
>> My understanding is that IPv6 performs fragmentation at the source, in
> which case, the receiving gateway does not need to defragment.
>
>
> Both IPv4 and IPv6 use source fragmentation, which cannot be avoided for
> tunnels (see intarea-tunnels).
>
> There are two sources (please review intarea-tunnels); please explain more
> clearly which one you mean.
>
> The original source of the packet (outside the tunnel) does source
> fragmentation. This doesn’t impact the IPsec egress (please - not
> “receiving gateway” - that could refer to ANY router on the path, either
> outside the tunnel or inside the tunnel; note that it does NOT actually
> refer to the IPsec egress because IPsec could be implemented as “bump in
> the wire” and its endpoints might not be gateways at all).
>
> But *so does the IPsec ingress*. It fragments the tunnel packets (again,
> see intarea-tunnels). It is THOSE packets the IPsec egress reassembles.
>
> Our problem is only happening with IPv4 when an on-path router fragments
> and the receiving security gateway needs to re-fragment.
>
>
> You should already stop using on-path *TUNNEL* hop refragmentation (again,
> router here is ambiguous).
>
> The “receiving gateway” is the IPsec egress of this traffic. Why do you
> keep saying it needs to refragment? It *reassembles* the tunnel fragments
> (but it has to - source fragmentation is always possible and will always
> need to be supported).
>
> I agree we are not concerned by source fragmentation but by on-path
*TUNNEL* hop refragmentation. We know these should nor be used, but it is
used and we have to deal with it. This is the scope of our document.

> We explicitly mention in the introduction that what we have is not a
> PLPMTUD for IPsec.
>
>
> Understood. But here’s the issue:
>
> - the end-to-end path can and should be using PLPMTUD
> having your system find a way for IPsec ingresses to generate *more* ICMP
> PTBs is not a solution,
> as you already note (because they’re untrusted, dropped, or not generated
> in the first place)
>
> - the tunnel has two DIFFERENT relevant MTUs
> the egress reassembly MTU (EMTU_R), which is the only thing that should
> drive the “tunnel MTU”
>
> the tunnel MTU, which the ingress needs to know for source fragmentation,
> but is NOT relevant to the
> origin MTU upstream of the ingress
>
> Will read the draft - but we believe that is better to generate one IPsec
packet for every inner IP packet as opposed to two. This is why we are
proposing to adjust the MTU so the outer packet matches the limit of the
EMTU_R - and fragmentation be avoided.

Tunnels fragment and reassemble. There is no way to avoid that or to tune
> to that, *if you implement your tunnel properly, that fact is and needs to
> be invisible* to the endpoints.
>
> Or do you want your endpoints sending 48B payloads when you transit ATM
> links too (they do still exist)?
>
> Our understanding is that we are closer to ICMP-like than a PLPMTUD. Maybe
> a PLPMTUD can be built on top of it, but we would like to avoid taking that
> path for now.
>
>
> Please review intarea-tunnels. Signals inside the tunnel are not always
> appropriate to relay outside the tunnel.
>
> But the really confusing part here is that you admit that ICMP doesn’t
> work, but you’re designing a system to detect (the wrong) info to send in
> ICMPs.
>

What we are saying is that ICMP does not work because the message and its
information is *not* received - that is it is not generated, discarded and
in the best case not trusted. Using the IKEv2 channel achieves this.

The other part of the discussion is what to do once the gateway has that
information. We do list source fragmentation, which requires no interaction
with the peers sending the to-become-inner packet. On the other hand, we
believe - and maybe we are wrong - that it would be better to avoid the
fragmentation and ask the source of the inner packet to adjust its MTU and
send smaller packets. To do so we suggest using ICMP - which is the
trusted network. As the ICMP is coming from the IKEv2 gateway, it is
plausible that this packet reaches the source of the inner packet.






>
> Joe
>
>

-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email