IETF Logo Mail Archive

Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review

Tero Kivinen <kivinen@iki.fi> Mon, 31 October 2022 11:18 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D200AC14CE40 for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 04:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xLV-u8XdoiBi for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 04:18:49 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [IPv6:2001:67c:2b0:1c1::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15941C14CE2E for <ipsec@ietf.org>; Mon, 31 Oct 2022 04:18:47 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by meesny.iki.fi (Postfix) with ESMTPSA id DF1D9200C9; Mon, 31 Oct 2022 13:18:42 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1667215123; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K05RPJZXa674OECJoZoIyPSrW2T5eedlh2dQi8enUjo=; b=ahUahixAe+IJAY8/aJH/V67hmVxl6y9lc0rxUVcpUMuDNzjHdSZL9PUe13IGqImKlsdmx4 4RpddausosAIAfRd+/u6jvg/PozjLpk6R7iTzE56yKlr10ANuCgWtsjlHzlb0tNW6oXoON mqjctuCslyWhR6Ebq2r/3zfmvG2ZEuA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1667215123; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K05RPJZXa674OECJoZoIyPSrW2T5eedlh2dQi8enUjo=; b=TXkJpLbhRlsCx7AhG5Famqp4x/M6Sm+8ZhffXxZK3GOsGWWbgqmtzgBJ9lfIJOx3Vk1mNH xzQ7aFCvzbE/l31Im4iwhFQVG2vPyF2feXTpdk6vL0BZA7qWIIzVW2yfZuZDl3G8/tOELH 097/IHPp2ApduU7pIpPxmchtUDrVoi0=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1667215123; a=rsa-sha256; cv=none; b=QltvQVW0CRhKH0MIYsoG7cXjiI4YYFGWavatWIhpTSDa7gEaBe4Jzx/5GrcbyNtAE+qCqv ghgxLV0rl4c41Kl4AvoeAVVxpBcYo/LJ4Mk3QZ5RHXV2Js7qrAcBv9yeihva8190aVsLFE j+v/sj0XZQE2GYuMPm2icxvMKlhEkAI=
Received: by fireball.acr.fi (Postfix, from userid 15204) id AD7AB25C12F3; Mon, 31 Oct 2022 13:18:41 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <25439.44817.648153.317135@fireball.acr.fi>
Date: Mon, 31 Oct 2022 13:18:41 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "touch@strayalpha.com" <touch@strayalpha.com>
Cc: Daniel Migault <mglt.ietf@gmail.com>, ipsec@ietf.org
In-Reply-To: <2FFA31D7-8E7D-48DB-A3BC-DDA3EB2ECCE2@strayalpha.com>
References: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com> <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com> <2FFA31D7-8E7D-48DB-A3BC-DDA3EB2ECCE2@strayalpha.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 8 min
X-Total-Time: 9 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/UUXTHdK_M9FR2Ja_oVEGgQ2iD1w>
Subject: Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2022 11:18:51 -0000

touch@strayalpha.com writes:
>     In the best case scenario, the security gateway informs the source node to
>     reduce the size of the inner packet with an ICP PTB packet for example. 
> 
> How? It can’t send an ICMP because it doesn’t have *the* packet causing the
> problem to “reflect” back to the source. The ingress may not know who the
> source is (there may be thousands or millions of sources). So which source?

The normal case to do that is that IPsec SGW keeps track of the size
of packets that are ok, and which are too big based on the information
it receives. I.e., it might have received unsecured ICMP PTB message
from the network for its own Child SA, but only knows the SPI of the
Child SA, not who was the original sender. So it keeps track that for
this SPI the ESP packets cannot be larger than xxx bytes.

Next time it receives a packet from the source and when it is
encrypting it, it will verify that it will fit the size set for that
Child SA, and if it is too big, it will generate ICMP PTB for that
specific packet.

IPsec gateways have been doing that for years, and this has been
described in the RFC4301 section 8.2.1.

My understanding is that this draft (which I have not yet properly
read) is solving the situation where the tunnel does not get ICMP PTB
messages as they are forwarding packets with DF bit set to 0, and then
the receiving end will see extra fragmentation happening for the
packets. Then the receiving end will simulate the ICMP PTB by sending
authenticated IKEv2 notification that tells the sending end that his
packets got fragmented.

Now the sending end can do similar processing of this information that
it does for unauthenticated ICMP PTB messages received for ESP
packets. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email