IETF Logo Mail Archive

Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review

"touch@strayalpha.com" <touch@strayalpha.com> Mon, 31 October 2022 02:28 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54971C14F73E for <ipsec@ietfa.amsl.com>; Sun, 30 Oct 2022 19:28:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.325
X-Spam-Level:
X-Spam-Status: No, score=-1.325 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sr2YZDU0W0pT for <ipsec@ietfa.amsl.com>; Sun, 30 Oct 2022 19:28:32 -0700 (PDT)
Received: from server217-2.web-hosting.com (server217-2.web-hosting.com [198.54.115.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21622C14F722 for <ipsec@ietf.org>; Sun, 30 Oct 2022 19:28:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=OgZ92fptbRYzDtM1mAOQUnQWnZITwZfUA4vpHCRNoJo=; b=gMW5KajAuav6kZPCTdwUNg81KK YBCRXpZCq4lBvrEPTY0sTUcA7FSpeCzGOfsWTu7ZNSDvRm4Rh4dRY6XGJKAtY9wxbVOtvz1Y87tey ZVOeq0Legk+3xdIIhlgFNzGg0rTQw0t1dnjxyOa2OSQEFxl7ZWit/pmzThAqZCw5aVvVajWYxFpUv o5Qsu6iXabr2srmats/IyobnzNcavb+YN7cfCJGlGwNxX82WBs8TINo0TQ/2wasTSEoEs/gLedWcb X1skTRRQw2ORiogV7BDZXPGqSYMSaRraTOYxlL2N3lUpM5PCMOuKx8MtHiHE6zyqZrJpz5J7XSBma 2sxE481Q==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:59291 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <touch@strayalpha.com>) id 1opKXI-0089YS-HX; Sun, 30 Oct 2022 22:28:30 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_47386530-0D2F-4468-8FC7-AABF6E1334D5"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com>
Date: Sun, 30 Oct 2022 19:28:13 -0700
Cc: ipsec@ietf.org
Message-Id: <2FFA31D7-8E7D-48DB-A3BC-DDA3EB2ECCE2@strayalpha.com>
References: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com> <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
X-Mailer: Apple Mail (2.3731.200.110.1.12)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/en29Hl6JIY7ru-HMdkfUHeWRezs>
Subject: Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2022 02:28:37 -0000

> On Oct 30, 2022, at 6:33 PM, Daniel Migault <mglt.ietf@gmail.com> wrote:
> 
> Thanks Joe for the feedback. I responded inline to your questions. 
> 
> To the main question: what is this a solution for ? It is a solution to avoid an ingress security gateway to become overloaded by de-fragmenting packets.

We need to get terms clarified. The IPsec tunnel Ingres encapsulates source fragments. The IPsec tunnel egress defragments.

> The main idea is that the ingress security gateway informs the egress security gateway that fragmentation is occurring  with an indication of the maximum size of the packet.

The ingress does source fragmentation as needed. The egress might know which fragments got through, but that assumes a PLPMTU discovery mechanism (where the source tries different fragment sizes), which isn’t what you’ve described. But either way, this tells you the size of the packets that get through the tunnel.

Note: there are two different sizes that are relevant here: the path MTU of the tunnel (the source has to fragment packets into chunks no larger than that or they won’t traverse the tunnel) and the egress reassembly size (EMTU_R of the egress). The only packet the egress can’t reassemble is one that exceeds EMTU_R.

However, the doc talks about the MTU downstream of the egress, which is (best case) the path MTU from the egress to the destination or (worst case) just the link MTU of the next hop out of the egress. Nothing the ingress does has any bearing on packets that traverse that path - once they leave the egress, they’re just the origin packets.

> In the best case scenario, the security gateway informs the source node to reduce the size of the inner packet with an ICP PTB packet for example. 

How? It can’t send an ICMP because it doesn’t have *the* packet causing the problem to “reflect” back to the source. The ingress may not know who the source is (there may be thousands or millions of sources). So which source?

I still don’t see a useful mechanism here - I recommend you take a look further at the tunnels draft (which explains all of this in detail.

> I do believe that the communication between the ingress and egress security gateway is in scope of IPsec.

It definitely is, but the questions here are many:
	- what information do you think the egress has that is useful to share with the ingress?
	- what would the ingress do what that information if thad it?

> My perception is that it is an ICMP PTB with the assurance the message is received.

ICMP PTBs can (and do, in some cases) happen on the tunnel and go back to the tunnel ingress. 

> What I think you mean is outside the scope of IPsec is sending an ICMP PTB message (in the case of a remote node) or changing the MTU directly in the case the source node and security gateway are the same entity. What is unclear to me is whether the current design violates anything or why it wouldn't work.

First, it won’t work when they’re not the same node. Second, it won’t work unless you know which source on that node to signal - which you don’t. 

> Then, do you have any recommendations to achieve what we are trying to achieve ?

Again, please read the tunnels draft; it explains why this isn’t useful.

Joe

> 
> Yours, 
> Daniel

—
Dr. Joe Touch, temporal epistemologist
www.strayalpha.com

> 
> 
> 
> 
> 
> 
> 
> 
> On Sun, Oct 30, 2022 at 6:04 PM touch@strayalpha.com <mailto:touch@strayalpha.com> <touch@strayalpha.com <mailto:touch@strayalpha.com>> wrote:
>> There are some issues with the doc:
>> 	- abstract has a typo, doc uses ’node’ where it should use ‘router’ for on-path frag, etc
> easy to fix. 
>> 	- discussion should to be more specific with respect to RFCs 1122, 792, and 4821
> Apart from 1122, we have all these references. If you still have in mind what needs to be more specific that would help. From the text below, it seems the use of egress / ingress should be used as opposed to upstream, downstream. Is that what you mean ?
>> 	- the overall problem is assumed but never clearly defined
>> 
> In the intro we have the following text that intends to capture that we are willing to avoid reassembling.
> 
>   IPv4 packets are often fragmentable with
>    their DF bit set to 0.  In this case, as described in [RFC0792], when
>    a packet size exceeds its MTU, the node fragments the incoming packet
>    in multiple fragments.  The inconvenient is that the receiving
>    security gateway will have to re-assembled the multiple fragments to
>    rebuilt an ESP packet before being able to apply the IPsec
>    decapsulation. 
> 
> 
>> I agree with Michael Richardson’s post of 8-16-22 on a few points:
>> 	1) it is premature for a TSV ART review of this document
>> 		I’m not actually sure that TSV review is relevant, as tunneling is more an INTDIR issue (on which I do not sit),
>> 		though I’m probably at least as appropriate a reviewer on tunnel issues
> This is a chicken and egg issue. We do not want to design/discuss a solution within the ipsecme WG without some feedback  that what we are doing will not be opposed by the transport area.   
>> 	2) this discussion is confusing as to both aspects and terminology of tunneling
>> 		I encourage those interested review draft-intarea-tunnels - while expired 
>> 		(I’m getting back to it), it remains definitive in the IETF AFAICT
>> 
>> The stated point of this work, rephrased, is to have the IPsec tunnel egress tell the IPsec tunnel ingress that the (next hop) link MTU out of the egress (i.e., after traffic exits the tunnel) is too small for the packets the egress node tries to forward.
> Correct.  
>> 
>> So it tells the tunnel ingress that the egress link MTU is too small. But that MTU is of the origin packet (not the tunnel packet, which includes the source packet as a paylaad), which the tunnel ingress has no control over.
>> 
> My understanding is that you are saying the outer packet size is defined by the inner packet size, so the reduction of the packet size needs to be implemented by the source of the inner packet, and there is actually little the IPsec egress tunnel security gateway can do. 
> If that is correct, I do agree that that information should be relayed to the source node of the inner packet, but I believe this is what we mentioned and section 4.2 lists 3 ways to handle this.
> 1) The IPsec egress tunnel security gateway can inform the source of the inner packet to reduce its MTU with ICMP PTB. That inner MTU is derived from the outer MTU. 
> 2) The IPsec egress tunnel security gateway may perform the fragmentation of the inner packet.
> 3) The IPsec egress tunnel security gateway may fragment itself the outer packet. 
> 
>> I.e., this isn’t a signal from the egress to the ingress about the tunnel (path) MTU.
> isn't it from ingress to egress ? Currently, in our proposal the IPsec ingress security gateway is returning 2 type of information to the IPsec egress security gateway:
> * the fact that the outer IP packet is fragmented
> * the value of the outer MTU.  
> As far as I understand, you seem to say this is not a signal related to the inner communication (that is inside the tunnel). I tend to agree, but I also do not see that information completely uncorrelated and we expect the security gateway to "translate" that information to the source of the inner packet. A huge advantage of such information is that it is being transmitted by the ingress IPsec security gateway to the IPsec egress security gateway over a secure channel. In our opinion this adds at least some value over the ICMP PTB.In terms of information I tend to agree that this information is similar except that that information can be assumed to be received by the other security gateway. 
> 
>> Even if it were, then the tunnel ingress would be sending more fragments (at the tunnel ingress by source-fragmented at the outer header); it can’t change the MTU of the origin packets it happens to receive — that happens at the packet origin, which can be upstream of the ingress, or at a minimum is outside the scope of IPsec (even if the ingress and packet origin are a the same node).
>> 
> I do see two aspects. On that one security gateway provides some information regarding its processing related to IPsec. At the very least informing the egress security gateway that it straffic is causing a DDoS seems in scope. 
> Now, it is also correct that providing such information if no action can be taken is not very useful. In our case, we do mention some actions that can be taken and one of these actions is that the security gateway sends an ICMP PTB message. It is unclear to me if that is what you are mentioning as out of scope of IPsec. I see this as similar to a router that needs to fragment and sends to the source an ICMP PTB packet. 
>    
>> What exactly is this a solution for?
> The solution is to avoid the receiving gateway to re-fragment.  
>> 
>> Joe
>> —
>> Dr. Joe Touch, temporal epistemologist
>> www.strayalpha.com <http://www.strayalpha.com/>
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org <mailto:IPsec@ietf.org>
>> https://www.ietf.org/mailman/listinfo/ipsec
> 
> 
> -- 
> Daniel Migault
> Ericsson
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email