Re: [IPsec] Dynamic PMTUD over IKEv2
Joe Touch <touch@strayalpha.com> Wed, 24 January 2018 15:01 UTC
Return-Path: <touch@strayalpha.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62B81126CBF for <ipsec@ietfa.amsl.com>; Wed, 24 Jan 2018 07:01:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qpdtcUXhQMCw for <ipsec@ietfa.amsl.com>; Wed, 24 Jan 2018 07:00:57 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61F661250B8 for <ipsec@ietf.org>; Wed, 24 Jan 2018 07:00:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=References:To:Cc:In-Reply-To:Date:Subject: Mime-Version:Content-Type:Message-Id:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=UrBfHWgzVeX4JxTmCZfBkUl5XrOSmBh5xv1QPqeyTtc=; b=eB5T687N0hLncug9zddUylXBi KZqJAxEjkiDEnGvfvKGjHV4TzqzRcvgB0oJ5vQBf4k2NeDy4/Q48L/09rS0Yy1AIX61auyVqvhQ9v 4XAvEnJ5xxk0R1Bjq/mh93ax6McWP4s6AHQDUYr6jKOKN06DkqHlDKlGwHDjmZvlXhVmntV1jRgTU 2VNS4gEMiFI/5zNLe5ETFuMEO9g4dperchruqBrN46UQMlYbcg7FINi5d+9m0ngGLxoa9QlpHLkRn L3CqvTpRNakFNKGHhQOobw1d+FhjJbmVwq1wz8LLSsFWIRfg0xpYHQiw/+idnAECQGNZ6MlWuXdXQ lTsrZR3sA==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:50539 helo=[192.168.1.87]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from <touch@strayalpha.com>) id 1eeMXQ-0041N7-Vm; Wed, 24 Jan 2018 10:00:36 -0500
From: Joe Touch <touch@strayalpha.com>
Message-Id: <5A10F40C-EC3E-4643-BCDD-6A9B24F4DDF6@strayalpha.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_096A80F5-2EA8-4D0B-9DDB-FB76FAA2020A"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 24 Jan 2018 06:59:43 -0800
In-Reply-To: <2064C97D-2E9A-4BEE-851B-5F91D0E08413@gmail.com>
Cc: Shibu Piriyath <spiriyath@juniper.net>, "ipsec@ietf.org" <ipsec@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>
To: Dan Wing <danwing@gmail.com>
References: <CY1PR05MB1867D823D8A05A0D92530830A1E30@CY1PR05MB1867.namprd05.prod.outlook.com> <9D48AC2A-32B8-42EF-B4DF-4825E4D75A32@gmail.com> <2064C97D-2E9A-4BEE-851B-5F91D0E08413@gmail.com>
X-Mailer: Apple Mail (2.3273)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/dTkZe2dokW7ifpZObl6ywOleaV0>
Subject: Re: [IPsec] Dynamic PMTUD over IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 15:01:01 -0000
Hi, all, FYI - there is also a UDP PLPMTUD draft in process that leverages the new UDP options I’m currently developing, which might be useful to take a look at as well: draft-fairhurst-tsvwg-datagram-plpmtud Joe > On Jan 23, 2018, at 1:04 PM, Dan Wing <danwing@gmail.com> wrote: > > >> On Jan 23, 2018, at 9:56 AM, Yoav Nir <ynir.ietf@gmail.com> wrote: >> >> >>> On 23 Jan 2018, at 12:29, Shibu Piriyath <spiriyath@juniper.net> wrote: >>> >>> Hi All, >>> >>> We have come up with a proposal for discovering Path MTU between IPsec head-ends dynamically using IKEv2 messages. >>> Please review the draft - https://tools.ietf.org/html/draft-spiriyath-ipsecme-dynamic-ipsec-pmtu-00 and let us know your comments, >>> >>> Thanks, >>> Shibu. >> >> Hi Shibu. >> >> Thank you for working on this. I have some comments. >> >> >> Administrative/political: >> This document proposes an IPv4-only mechanism. While the IETF has not (yet?) approved" [1] (see discussion threads [2] and [3]), there needs to be some justification for why we’re doing an IPv4-only mechanism. Is this not a problem in IPv6 (Because we assume that PTB responses propagate correctly in the IPv6 network that in the IPv4 Internet routers routinely fragment) or is there some other mechanism for IPv6? >> >> >> Terminology: >> - I usually encounter the terms ingress and egress for interfaces of a particular router or host. I think it would be clearer to use “tunnel ingress” and “tunnel egress” or “encryptor” and “decryptor” >> - "Overhead is the number of bytes required for tunnel encapsulation”. Overhead is then used as a number that is subtracted from physical MTU. However, the overhead is not constant. IPsec requires padding to some multiple of 4, 8, or 16 depending on the algorithm. I suggest modifying the definition of overhead to “Overhead is the *maximum* number of bytes required for tunnel encapsulation” >> - "fragmentation within the tunnel is allowed” - this is about fragmenting an ESP packet that is too large. I don’t think “within the tunnel” is the best term for this. How about “fragmentation of the ESP packet by intermediate routers is allowed” ? >> >> >> >> >> Technical: >> If the >> packet length is greater than the tunnel MTU and the packet can be >> fragmented, the ingress node fragments the packet, encapsulates each >> fragment, and forwards each encapsulated fragment through the tunnel. >> >> >> That’s one way of doing things. Another is to encapsulate the packet anyway and send the ESP packet out in fragments. This way is also compatible with IPv6. I know of at least one implementation that does this. >> >> >> There is an assumption that the egress node knows about the fragmentation. Usually some layer in the stack will defragment before handing the IPsec stack a re-assembled IPsec packet to decrypt. Maybe some implementations are more integrated and the IPsec stack has this information, but this assumption needs to be stated explicitly. >> >> >> Some routers drop packets that are too big instead of fragmenting them. Of these, some send back the PTB and some don’t. An active PMTUD method (ingress sends dummy packets of various sizes and receives acknowledgements from egress if they arrive) can work with such intermediate routers. > > Also known as PLPMTUD (packetization layer path MTU discovery), https://tools.ietf.org/html/rfc4821. Most similar to IKE is this presentation that describes PLPMTUD with STUN; IKE could do similar thing, https://www.ietf.org/proceedings/73/slides/behave-10.pdf. There is an RFC describing PLPMTUD for TCP, but I don't cite it because TCP. > > The I-D should also encourage re-setting the path MTU following the same plateau algorithm described in RFC1191, or explain why that algorithm is bad and instead the algorithm described in the I-D is superior (the I-D describes discarding the learned MTU and re-learning, from scratch). > > -d > >> This method cannot. >> >> >> How do you prevent the following attack? The attacker manages to drop or delay one ESP packet. It captures this packet and retransmits it in small fragments. This induces the egress to send the notification from section 3.2 to the ingress, causing it to internally fragment all future packets. >> >> Yoav >> >> [1] https://tools.ietf.org/html/draft-ietf-sunset4-ipv6-ietf-01 >> [2] https://www.ietf.org/mail-archive/web/ietf/current/msg104661.html >> [3] https://www.ietf.org/mail-archive/web/ietf/current/msg104721.html >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Dynamic PMTUD over IKEv2 Shibu Piriyath
- Re: [IPsec] Dynamic PMTUD over IKEv2 Yoav Nir
- Re: [IPsec] Dynamic PMTUD over IKEv2 Dan Wing
- Re: [IPsec] Dynamic PMTUD over IKEv2 Joe Touch