IETF Logo Mail Archive

Re: [IPsec] New Version Notification for draft-liu-ipsecme-ikev2-mtu-dect-00.txt

Harold Liu <harold.liu@ericsson.com> Thu, 24 February 2022 07:51 UTC

Return-Path: <harold.liu@ericsson.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 413583A0959 for <ipsec@ietfa.amsl.com>; Wed, 23 Feb 2022 23:51:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.675
X-Spam-Level:
X-Spam-Status: No, score=-2.675 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0iu5KSkCcSnp for <ipsec@ietfa.amsl.com>; Wed, 23 Feb 2022 23:51:37 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2060e.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1a::60e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8C1A3A094A for <ipsec@ietf.org>; Wed, 23 Feb 2022 23:51:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AtZ19EWor1MA6w5Fb25yi14BFd3MuuJ2L0eVgWldckkdmzh6Eu1lyaoxUp8A79+o7z46ZM4Jf5lnsuh28u44l2tM83cGJqalRud6ze0DX4aJw3EEFWEACMG/qz1D12sKJUAsyeAPqdvLpnzX8vE3dHbzNPvz+IGtvpO4dUzx6Yd/TQ23S3D/HQALoUwasFaZ6SGXvlqwyTpg73d5a/NEw2CQKcoa1/b+2XzBMcoczYYV5guXJx4eagYbr/47JNF8JcpiVA5686/vGhLwMSeTBpDaqvQ205Ma1l2hufbWhJliC+KSn+48h5xzJAg/hoS57kHiVY7IrJweiON7eOtQ+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WVikmJrUzdN/m4yoTGqo7HaXJfznyIjxd9vTen26Pkw=; b=kKKc3FdAwymcy1vElf+PtkUWr+pOWjeOmdtStYQ1LtTrgTY0bjHLrOD029QtI4x55sYhkC7qxTM/S13vgHUGNk9D+HxWtWCltPUfq966hxGCL2B+NSgnU6G/HyNhjuR+yZCLCtf9+tXCLOeQ8hzvvQorfwvWRDPz61fHfflSk12ikcKf8zAYXOtCggPRpJPw3JMxO6xAVtlI88xVmsCgPrtrpFHZ27QlYp0lyrA1dcb33tiJZKdBVS9EoeF8SXXDkUvwSawwxcTgiPdLYwiTexi7wddklg9RYPxS0CFdyTWeum8XAvn2PeYfQW4mr3DQf8MNyYG1A0lhFVlgff1V4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WVikmJrUzdN/m4yoTGqo7HaXJfznyIjxd9vTen26Pkw=; b=GwSIdc/E//O9sCC04sNSfUEp/TH99m7lKrTNKm/qH9rANaQG1jiKbJZS+D2E9xaBJAalc1xrmbolbM1gkLhOb8d8HsMX1+CyWJgpSenSa/tniNu7MXqoovRvmLj3tcTtKido9FT8sqZYR26SutpEZ577ZHM3cabBg03nr2xI70g=
Received: from AM6PR07MB6056.eurprd07.prod.outlook.com (2603:10a6:20b:97::32) by VI1PR07MB5183.eurprd07.prod.outlook.com (2603:10a6:803:b1::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5038.9; Thu, 24 Feb 2022 07:51:29 +0000
Received: from AM6PR07MB6056.eurprd07.prod.outlook.com ([fe80::259c:da43:36b:91bc]) by AM6PR07MB6056.eurprd07.prod.outlook.com ([fe80::259c:da43:36b:91bc%6]) with mapi id 15.20.5017.021; Thu, 24 Feb 2022 07:51:29 +0000
From: Harold Liu <harold.liu@ericsson.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>, Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
Thread-Topic: [IPsec] New Version Notification for draft-liu-ipsecme-ikev2-mtu-dect-00.txt
Thread-Index: AQHYKH5eEEnNBi+UYUO3jYQBHw1g0qygq/lQgAEPDQCAACk1oIAAcJfg
Date: Thu, 24 Feb 2022 07:51:29 +0000
Message-ID: <AM6PR07MB6056269C89B90B3C637989EBEB3D9@AM6PR07MB6056.eurprd07.prod.outlook.com>
References: <164559761129.12564.15927704794982969278@ietfa.amsl.com> <AM6PR07MB6056BCED2C1621D75C4A7470EB3C9@AM6PR07MB6056.eurprd07.prod.outlook.com> <1599f5ad-5871-e9d-8fd2-965829b22d6@nohats.ca> <AM6PR07MB605677111465AA07DB76C988EB3D9@AM6PR07MB6056.eurprd07.prod.outlook.com>
In-Reply-To: <AM6PR07MB605677111465AA07DB76C988EB3D9@AM6PR07MB6056.eurprd07.prod.outlook.com>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 813a5911-98c3-472e-8011-08d9f76a77a2
x-ms-traffictypediagnostic: VI1PR07MB5183:EE_
x-microsoft-antispam-prvs: <VI1PR07MB5183695E665C6542E73842F6EB3D9@VI1PR07MB5183.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +od8JVgeGXSdsLbF/SzO+gIwhKAUNCxlBB7W0hN2vwMTIWXPVW5avkSZNi4wswsGiUrhg935ajNjCUBDlwEMm9oHjNhDEBixp0cM1dppMl14Ah19+DX/vnoeMyBad4p7m3o7ZMq3WuxKUoCimvzFziGe99Jfanc6z1z7PtWGa5FUgCIrSOTz9OBtmVSK60jQwkL2fUx2gwzdZVXcfJtWzB2I+WeTlmllxKz43D8IdJt1nDerV6hCJns8MZv1DQU72m7g6bAf7fHrPTkTAVnW9+AhEkpi7Kau9u2jAPi2SI6A2jgXSrl6R5tMRZjVgAvpNK9GGWt2EEEYJkDPrR4OCqjMNUZOF3WPTwk6MdPJqecfTRAhPzm4ebHWXWzSWaQyiYaa84uCrkKrXKENUb0BTXuDWegBmZyVOtr0Uas0dowyhnEKnuZOVR3gHFEyoVTkav4FJox3MLD8OJa1pGQNnhd8O1dPAJYvGIpXKArs6P0Cn+ehn5r6f5d1UQCPxHJsKIxvTR7bMnWRHGLfDFUMyb1jfmjCKKnl+NFNq6ew/59Dgs8h/0GFNfF8BIeNhazNn5mu9f4YFaWS2M9Jx80a9WbIATfnYm+tViGTYwKXwWd+uAhoHC39aGAxXZPxLAMzgFNX9fxFourO/xXhCdMQ4pSUXRqDKNegbN2Mgim65oh6pEaaKPyIma24ZFMfYZys7YaliBWkjwFGTJHv4+bTbAAVEuGsDbr1BGWGFAn5t1oW6hLYpmQwWA5rtNDhKCOtoSuUuIQiVxFP3jtJKj/CiGWYeuJAfrT2edOgRkNPfc0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB6056.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(66556008)(110136005)(76116006)(508600001)(66946007)(966005)(316002)(8676002)(52536014)(64756008)(55016003)(66446008)(8936002)(5660300002)(66476007)(7696005)(71200400001)(86362001)(6506007)(82960400001)(2906002)(44832011)(15650500001)(122000001)(2940100002)(9686003)(66574015)(38100700002)(186003)(33656002)(38070700005)(83380400001)(26005)(53546011); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?ovpHTgTQn35sEJmSXVKI6rLm0Iwx0LdRiK+gIFz++H1WF44qWn4f0zH48pnm?= =?us-ascii?Q?h6ys9ZbBTz/UDEe6OKku+jMy8TQkr8AfnLjQYXMENuL23Rpqz86b1oLwSGPZ?= =?us-ascii?Q?RIOR/D3FfRzLi1IelwU1ct5KqBYKaCmBdoQ1ZwoP9SSP5NlWdxXiglEgAZbJ?= =?us-ascii?Q?qhhsgwu5CQTJYmkLvVfpGvTCk6Hgm1QPnJ1pH48v4l7TsphDjHWr/Y75NMxN?= =?us-ascii?Q?ntpBVGrJtPefZcKomQW4CqZNc5LHiIkwixH3ol44mcRABrMogCdMf2Z43fHg?= =?us-ascii?Q?u5egxrZURuQZAZXtSGbTx+JzLifYz/hhSLCM0klLxUKQh/J2wAyltDtNyn9z?= =?us-ascii?Q?oWj1SrYKUIPIPSmVATKx6IJd/BeHdkmPtrLsHPoJyJX5BJoGWhsJK6jNpn9+?= =?us-ascii?Q?kSkNh1tnDacg2koLBL01+Hho4G/RzM1HI9KwqnZFmJc3eYgEBqVPvoPr/aiR?= =?us-ascii?Q?BbLZqtFlwKN7pr+5/Y/dmoTG7ZM+lO2lvEWHgJf5lxFVQrMsxw/LzWqAf9ig?= =?us-ascii?Q?WesyJKx+x6mFnwVYE3BYgy4z+k7SEagAZA43ljYkQUmQgeEXHC5YLVucsbT0?= =?us-ascii?Q?JAQj68qamlyNSs8NTr1q2rmRIQNnXzCtMxD8yUmMWDrDrgZPfLaqXovMVC38?= =?us-ascii?Q?Q2RkhrHl0Tc3v6bMK51+AEsyEuJKMOy/RMHiQVaJsL+WfbBmT+lWvAhS8k8o?= =?us-ascii?Q?o49NdWqXj2HLx3BpdSZpeBo+4MQ19xKy7wU9ql4RZwCc/0KuDQZ3m4D+Ehq8?= =?us-ascii?Q?IgpXUP8A9KnPIDbe84rI/cw/Jqzvr+Aky+/4IhdE0vMifaHsTBc3VtDtOH0M?= =?us-ascii?Q?9rEyjWrPNEz9Yx8g9zk6GazFI/3WK5UajJJ7Dlg3i0AdDB2MiVXqsyMvAnsM?= =?us-ascii?Q?s1orKkjb+L52twcgbPI3bW2+kZCQ4JX1MUwrrxl04AcAS7itFAI7x4oD2lUK?= =?us-ascii?Q?SjQRBwcnJWLtDTjRwI+aHTUyWS81VvM8i+VxJ1CE0weG35VYqUETp709yeiw?= =?us-ascii?Q?Q8WtVF7tIdTBQjMLsdaGzZyHLFoKuoL5xQ3Jv1LUngPdY4WN2+V11ctD8WBL?= =?us-ascii?Q?xAHUVerfTIxfANpH9hcviXWBO1TOjV2RZLLTHxH5cqgUQ2tZuzeOkRy/J0Qp?= =?us-ascii?Q?APJu2XhQJMfhL7ZDBlQD0oxYvatMon/GKepDYPU/PUbUbWsxWaZ4FZ2yg0PS?= =?us-ascii?Q?WlKdZSnZIVEI5cLeffzScNAC1V2IGpn/QfZ/PZWAW31mGk8TnsUkHVI2ghpY?= =?us-ascii?Q?IHizAT5wFhqzNG+S0z0Er1wvUgiVT4vUcj5WXcl+/BtS5PT6krVgpZ47KN7R?= =?us-ascii?Q?SlHXBIn/0chJP8fqlvAWVUU+tiz7yfE2StqQa65GCPG1RyVUzEaRH7v3tX7X?= =?us-ascii?Q?2DGIZjobCxE+YI7SEJLcAEyeKy/tPtfIFTbV+w41HQKQyvytYwFgJXIzK5n/?= =?us-ascii?Q?2GRJToT2njelZDCZVuD76PzdxyC7KO/uXfo4p7M4GkgQXvMTV32Awigsv8N4?= =?us-ascii?Q?Lu3n5qFrQnycZ0r8IBJo3Z8xmWr0CwLDyMETdp1fwPDuM9JraY2pWxEsX4lT?= =?us-ascii?Q?mL1vULbnokLCkY4n+kQBMLKF/lP/nSboWxq+n6tpdE8TQIo2uqZjfPxZagXg?= =?us-ascii?Q?XIQrhG5/NUac49yvXnPgzOM=3D?=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB6056.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 813a5911-98c3-472e-8011-08d9f76a77a2
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Feb 2022 07:51:29.5055 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zUOJJ6G0KIQTZUMasQOL2A4cJ4N4P1JOPxbA/g/qN49f1KViLNShDt+b45hbonuMaZNcmbIX7u3PFKubgw4UXQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5183
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Uq0-JcI2EEPSs7H0Q_hw9A7YHdA>
Subject: Re: [IPsec] New Version Notification for draft-liu-ipsecme-ikev2-mtu-dect-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2022 07:51:40 -0000

Paul, I further consider your concern below and I think I did not deep understand it before.
You are right currently there is no mechanism to recover to a larger MTU, I will further think of it and update to you later.
Again, really thank you for your valuable comments.

- As paths over the internet change, this draft can kick in to reduce
   the size, but I see no method to go back to a larger size once the
   path between the endpoints recovers again.

Brs

-----Original Message-----
From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Harold Liu
Sent: Thursday, February 24, 2022 11:21 AM
To: ipsec@ietf.org; Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
Subject: Re: [IPsec] New Version Notification for draft-liu-ipsecme-ikev2-mtu-dect-00.txt

Paul, thanks for your comments and I am really glad that you are interested in this topic.

Please see my response inline.

-----Original Message-----
From: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
Sent: Thursday, February 24, 2022 6:38 AM
To: Harold Liu <harold.liu@ericsson.com>
Cc: ipsec@ietf.org
Subject: Re: [IPsec] New Version Notification for draft-liu-ipsecme-ikev2-mtu-dect-00.txt

On Wed, 23 Feb 2022, Harold Liu wrote:

> Recently we ran into a real problem in some IPsec use case - In customer application scenarios, ESP packets are fragmented, which causes many problems - Including performance problems, device resource problems, and even traffic loss (In customer use case, it is IPsec over NAT scenarios so ESP packets are encapsulated by UDP.  Therefore, except for the initial fragment that contains complete UDP header, other fragments can only indicate UDP protocol in the IP address, but do not have UDP header. Therefore, they may be incorrectly identified by other applications and captured - The fragmented IP payload is regarded as a UDP header.  ESP cannot be reassembled and the package is lost).

When this happens, the application should be missing its packets, eg TCP or UDP and could reduce its MTU based on that as well. In other words, why would we want a second mechanism to do this, where these two mechanisms could end up fighting.
<Harold>
       The application cannot reduce its MTU when this happens because the packet lost, the application does not know the packet loss reason so as to cannot reduce the MTU and even cannot know what is appropriate to reduce to.
       For the TCP the standard action is retransmission according to sequence number received last time, but this could make trouble including but not limited to (I believe there are lots of description about TCP packets retransmission  disadvantages) performance is significantly affected from an application level, and this continues to happen because the MTU of retransmitted TCP does not change.
       UDP is an unsolid transmission mechanism, UDP itself does not have any mechanism to detect packet loss. Some application/protocols over UDP (eg NTP/SNMP/IKEv2) may check whether the expected packet is received and take corresponding actions - such as request retransmission or timeout detection - but cannot detect that the packet loss is caused by the MTU, and therefore cannot reduce the MTU.
       So there is no conflict between the two mechanisms.
</Harold>

> The below announcement is that draft. We would like to work with the community to improve and clarify tech draft.

Some concerns:

- What if a malicious entity able to filter on path would "fragment" the
   packet into tiny bits. It would reduce the MTU of the IPsec link to
   unhealthy size. There should be a minimum defined <Harold>
       You are absolutely right that malicious attacks are really an issue
       that must be considered and we should have a reasonable
       minimum MTU to filter such cases; I will update this to the draft.
</Harold>

- As paths over the internet change, this draft can kick in to reduce
   the size, but I see no method to go back to a larger size once the
   path between the endpoints recovers again.
<Harold>
       What you mentioned is a problem indeed.
       In fact, this is an oversight I made when writing the draft.
       The scheme itself can cover scenarios in which the MTU
       changes - mainly increases in size - this mechanism should
       continuously checks whether the incoming ESP packets are
       fragmented, if the incoming ESP packets are fragmented
       calculate the MTU and notify the peer end again.
       I will describe this explicitly in the next draft update.
</Harold>

- How does this interact with ESP padding ?
<Harold>
       I don't see any obvious problems working with ESP padding
       especially combined with your first concern - minimum-limiting
       MTU to prevent attacks, the ESP padding is less risky;
       Perhaps I should have added some description in section 5,
       stating that ESP tailer (Include padding) should be considered
       in addition to tunnel header length and ESP header length
       when calculating MTU;
</Harold>

- I can see applications just sending a 1200 MTU request "just to make
   it always work", which basically means a few years down the line,
   everyone ends up with reduced MTU. This is what happened with IPsec/L2TP
   where the ppp interface is basically 1200 everywhere.
<Harold>
       IMHO, PPP/L2TP is a bit outdated. At present 4G/5G IP RAN networks are
       basically over Ethernet, with typical topologies as follows:
       UE <-> Radio <-> (Baseband, optional) <-> FrontHaul <-> BackHual <-> Internet <-> Core
       The "Internet" is what we cannot fully control offten, so ESP MTU issues happen from time to time.
</Harold>

Paul

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.8.7 | Report a Bug | By Email