Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
Tero Kivinen <kivinen@iki.fi> Mon, 31 October 2022 11:18 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D200AC14CE40 for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 04:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xLV-u8XdoiBi for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 04:18:49 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [IPv6:2001:67c:2b0:1c1::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15941C14CE2E for <ipsec@ietf.org>; Mon, 31 Oct 2022 04:18:47 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by meesny.iki.fi (Postfix) with ESMTPSA id DF1D9200C9; Mon, 31 Oct 2022 13:18:42 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1667215123; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K05RPJZXa674OECJoZoIyPSrW2T5eedlh2dQi8enUjo=; b=ahUahixAe+IJAY8/aJH/V67hmVxl6y9lc0rxUVcpUMuDNzjHdSZL9PUe13IGqImKlsdmx4 4RpddausosAIAfRd+/u6jvg/PozjLpk6R7iTzE56yKlr10ANuCgWtsjlHzlb0tNW6oXoON mqjctuCslyWhR6Ebq2r/3zfmvG2ZEuA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1667215123; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K05RPJZXa674OECJoZoIyPSrW2T5eedlh2dQi8enUjo=; b=TXkJpLbhRlsCx7AhG5Famqp4x/M6Sm+8ZhffXxZK3GOsGWWbgqmtzgBJ9lfIJOx3Vk1mNH xzQ7aFCvzbE/l31Im4iwhFQVG2vPyF2feXTpdk6vL0BZA7qWIIzVW2yfZuZDl3G8/tOELH 097/IHPp2ApduU7pIpPxmchtUDrVoi0=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1667215123; a=rsa-sha256; cv=none; b=QltvQVW0CRhKH0MIYsoG7cXjiI4YYFGWavatWIhpTSDa7gEaBe4Jzx/5GrcbyNtAE+qCqv ghgxLV0rl4c41Kl4AvoeAVVxpBcYo/LJ4Mk3QZ5RHXV2Js7qrAcBv9yeihva8190aVsLFE j+v/sj0XZQE2GYuMPm2icxvMKlhEkAI=
Received: by fireball.acr.fi (Postfix, from userid 15204) id AD7AB25C12F3; Mon, 31 Oct 2022 13:18:41 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <25439.44817.648153.317135@fireball.acr.fi>
Date: Mon, 31 Oct 2022 13:18:41 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "touch@strayalpha.com" <touch@strayalpha.com>
Cc: Daniel Migault <mglt.ietf@gmail.com>, ipsec@ietf.org
In-Reply-To: <2FFA31D7-8E7D-48DB-A3BC-DDA3EB2ECCE2@strayalpha.com>
References: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com> <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com> <2FFA31D7-8E7D-48DB-A3BC-DDA3EB2ECCE2@strayalpha.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 8 min
X-Total-Time: 9 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/UUXTHdK_M9FR2Ja_oVEGgQ2iD1w>
Subject: Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2022 11:18:51 -0000
touch@strayalpha.com writes: > In the best case scenario, the security gateway informs the source node to > reduce the size of the inner packet with an ICP PTB packet for example. > > How? It can’t send an ICMP because it doesn’t have *the* packet causing the > problem to “reflect” back to the source. The ingress may not know who the > source is (there may be thousands or millions of sources). So which source? The normal case to do that is that IPsec SGW keeps track of the size of packets that are ok, and which are too big based on the information it receives. I.e., it might have received unsecured ICMP PTB message from the network for its own Child SA, but only knows the SPI of the Child SA, not who was the original sender. So it keeps track that for this SPI the ESP packets cannot be larger than xxx bytes. Next time it receives a packet from the source and when it is encrypting it, it will verify that it will fit the size set for that Child SA, and if it is too big, it will generate ICMP PTB for that specific packet. IPsec gateways have been doing that for years, and this has been described in the RFC4301 section 8.2.1. My understanding is that this draft (which I have not yet properly read) is solving the situation where the tunnel does not get ICMP PTB messages as they are forwarding packets with DF bit set to 0, and then the receiving end will see extra fragmentation happening for the packets. Then the receiving end will simulate the ICMP PTB by sending authenticated IKEv2 notification that tells the sending end that his packets got fragmented. Now the sending end can do similar processing of this information that it does for unauthenticated ICMP PTB messages received for ESP packets. -- kivinen@iki.fi
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Tero Kivinen
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Michael Richardson
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Michael Richardson
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Joe Touch
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Tero Kivinen
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com