IETF Logo Mail Archive

Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review

"touch@strayalpha.com" <touch@strayalpha.com> Mon, 31 October 2022 16:18 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64DAFC14CF17 for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 09:18:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.326
X-Spam-Level:
X-Spam-Status: No, score=-6.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I73dc2Lh8WUY for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 09:18:10 -0700 (PDT)
Received: from server217-2.web-hosting.com (server217-2.web-hosting.com [198.54.115.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACFD7C14F73B for <ipsec@ietf.org>; Mon, 31 Oct 2022 09:18:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Fi1weYPZRE2lKEzyClZalexlXinDJvb88YH3P0U7dbg=; b=OmnapGpZ7LxanR7FbBRGsZ+7Z3 HxHJFl+2X+FEfvXXHZR9SJqwG/CFqfMqePrhWDFIXKj9ErbKHl5szNLca7gaPi3WwaPVjjuBKIGGn k6/F/KCeZe21lTPW6caIPPf0gj8Uq8CXvmTXpMj3l8vUAf9lOk7gi7nOSnQVsOclXkkPRdFHIahLp TZ2/1lrAuTEu/liaHdPKn0AlsEZc3fF0GFULtKMKqvobIICiIZ5xNsbXsFbX67nLUCGvZZHlj/Dni 4rZEiCRceE/hPgLvbVg6ZwOm/67vMdxE2E3Q0zCIR36l6E60tPqCWX6n+/py2doswpTTsfVxYuhnJ IvsvsaqQ==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:60957 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <touch@strayalpha.com>) id 1opXU9-006wr0-GF; Mon, 31 Oct 2022 12:18:06 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_69501F28-1025-4866-B33C-75DD0CF7566D"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <CADZyTkkAH87urhD9E_3bE3K9=-Xcv7q0h-dC7RoDcs_fiYcACw@mail.gmail.com>
Date: Mon, 31 Oct 2022 09:17:50 -0700
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
Message-Id: <231766BD-0511-4C8E-AC75-5DBCB58105C5@strayalpha.com>
References: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com> <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com> <2FFA31D7-8E7D-48DB-A3BC-DDA3EB2ECCE2@strayalpha.com> <25439.44817.648153.317135@fireball.acr.fi> <BFCDB8B9-8386-47D3-B2EA-3679D63D353B@strayalpha.com> <CADZyTkkAH87urhD9E_3bE3K9=-Xcv7q0h-dC7RoDcs_fiYcACw@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
X-Mailer: Apple Mail (2.3731.200.110.1.12)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/VI6cBbcckFzYqXLyXlpL5Sh16NM>
Subject: Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2022 16:18:15 -0000

See below in-line.

> On Oct 31, 2022, at 8:53 AM, Daniel Migault <mglt.ietf@gmail.com> wrote:
> 
> 
> 
> On Mon, Oct 31, 2022 at 11:25 AM touch@strayalpha.com <mailto:touch@strayalpha.com> <touch@strayalpha.com <mailto:touch@strayalpha.com>> wrote:
>> HI, Tero, et al,,
>> 
>> Thanks for the clarification; I now understand that what you really are seeking is PLPMTUD for IPsec, but somehow using on-path fragmentation as a signal. That’s a mistake, IMO, largely because it serves only IPv4.
>> 
> My understanding is that IPv6 performs fragmentation at the source, in which case, the receiving gateway does not need to defragment. 

Both IPv4 and IPv6 use source fragmentation, which cannot be avoided for tunnels (see intarea-tunnels).

There are two sources (please review intarea-tunnels); please explain more clearly which one you mean.

The original source of the packet (outside the tunnel) does source fragmentation. This doesn’t impact the IPsec egress (please - not “receiving gateway” - that could refer to ANY router on the path, either outside the tunnel or inside the tunnel; note that it does NOT actually refer to the IPsec egress because IPsec could be implemented as “bump in the wire” and its endpoints might not be gateways at all).

But *so does the IPsec ingress*. It fragments the tunnel packets (again, see intarea-tunnels). It is THOSE packets the IPsec egress reassembles. 

> Our problem is only happening with IPv4 when an on-path router fragments and the receiving security gateway needs to re-fragment.

You should already stop using on-path *TUNNEL* hop refragmentation (again, router here is ambiguous).

The “receiving gateway” is the IPsec egress of this traffic. Why do you keep saying it needs to refragment? It *reassembles* the tunnel fragments (but it has to - source fragmentation is always possible and will always need to be supported).

> We explicitly mention in the introduction that what we have is not a  PLPMTUD for IPsec.

Understood. But here’s the issue:

	- the end-to-end path can and should be using PLPMTUD
		having your system find a way for IPsec ingresses to generate *more* ICMP PTBs is not a solution,
		as you already note (because they’re untrusted, dropped, or not generated in the first place)

	- the tunnel has two DIFFERENT relevant MTUs
		the egress reassembly MTU (EMTU_R), which is the only thing that should drive the “tunnel MTU”

		the tunnel MTU, which the ingress needs to know for source fragmentation, but is NOT relevant to the
		origin MTU upstream of the ingress

Tunnels fragment and reassemble. There is no way to avoid that or to tune to that, *if you implement your tunnel properly, that fact is and needs to be invisible* to the endpoints.

Or do you want your endpoints sending 48B payloads when you transit ATM links too (they do still exist)?

> Our understanding is that we are closer to ICMP-like than a PLPMTUD. Maybe a PLPMTUD can be built on top of it, but we would like to avoid taking that path for now. 

Please review intarea-tunnels. Signals inside the tunnel are not always appropriate to relay outside the tunnel.

But the really confusing part here is that you admit that ICMP doesn’t work, but you’re designing a system to detect (the wrong) info to send in ICMPs.

Joe

v2.23.0 | Report a Bug | By Email