IETF Logo Mail Archive

Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review

Daniel Migault <mglt.ietf@gmail.com> Sat, 26 November 2022 14:25 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9B52C14CF14 for <ipsec@ietfa.amsl.com>; Sat, 26 Nov 2022 06:25:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id axLGFF6H-2_s for <ipsec@ietfa.amsl.com>; Sat, 26 Nov 2022 06:25:58 -0800 (PST)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A171C14CF10 for <ipsec@ietf.org>; Sat, 26 Nov 2022 06:25:58 -0800 (PST)
Received: by mail-ot1-x333.google.com with SMTP id p10-20020a9d76ca000000b0066d6c6bce58so4288938otl.7 for <ipsec@ietf.org>; Sat, 26 Nov 2022 06:25:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=lhb7YvVF3baoX1eRVHgy2DaJ+gmvLy9SxwtUH00mCRo=; b=jkycZ/5LONNtsAXzzDCV+vzS1zMFmH2BRGAesnNwxiz+Ib0wnxruSk2GvRAuVW7+Ry LMiLDxMUpQg+8X/Zu74FFTQU8PATLRcSieAcGMNRcpNoCeXzaiYlkRKeXT3xzlq/KVyc 8AURyoWidvp1E6BBaMy1ppDhenMRyV6muRZbSB3i0ACZJDn3uB+gjqQW6XOKrWuWl28A XeQ7CnvDj6LQRpVy5fmXnZzUm4H3sCeuQt2h516N/I83qX8FtAKD7Zy+bafMxEaLs/D3 GPldEISmFsMp6HOH/RU/cC/E61xSUS8Hx6CCKcDKqp4T3Lbk0nk+yod0/LsDGWCFKzQs 4clA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lhb7YvVF3baoX1eRVHgy2DaJ+gmvLy9SxwtUH00mCRo=; b=3aZTjhJHL/w0pY/d0N31E2bl+qLU1LPuuOeDxfMnadfS6IDzvIClUGzlh7ncpYWEdx RxhVlYLyIU84RRg44s51yon9hXbdbjPJnDj2B5dRhyZW9nImymcfEv/aSboOcJBuUE9I IFxfCByfI5/GSg9hBi1NmaSmj8MbB0DaTvXl37AypFzbDQXGS3NHXtgl7iXh3BYWLjeu NqUnAtAihP5fCJ1qkUZczEeeUwMIj9OFuiTysx1aXDXBbol8YnophYHS+1Ug3y1JOj41 6KktWp/is/lmaXQ7cq2dZXimxT7RL5I7GkovHpSPFEf0orLqCvpGGBeeR9XsctB7sGtL xm0g==
X-Gm-Message-State: ANoB5pnAMal5pVPoHPC+7dumvmAa0qM1BlgvL2EXKT8i4NMkY/HzWf0E kSbYIZVGuQUYEu+Kyrb5XkMlzOUxUWrLe4FMOkv3Tvsy
X-Google-Smtp-Source: AA0mqf60dYlDd9tPRJae8t4Mhv9SWPxFnEXetT9/hjeWYklKXlQlorqIKMzaDTzVJ5s6sPyc20nvCb53Kry4U4Ex4Lk=
X-Received: by 2002:a9d:7389:0:b0:66c:3574:112b with SMTP id j9-20020a9d7389000000b0066c3574112bmr11453329otk.385.1669472757572; Sat, 26 Nov 2022 06:25:57 -0800 (PST)
MIME-Version: 1.0
References: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com> <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com> <2FFA31D7-8E7D-48DB-A3BC-DDA3EB2ECCE2@strayalpha.com> <25439.44817.648153.317135@fireball.acr.fi> <BFCDB8B9-8386-47D3-B2EA-3679D63D353B@strayalpha.com> <CADZyTkkAH87urhD9E_3bE3K9=-Xcv7q0h-dC7RoDcs_fiYcACw@mail.gmail.com> <231766BD-0511-4C8E-AC75-5DBCB58105C5@strayalpha.com> <CADZyTk=qYNqX+oyUKxn5AV-0UmkwQLqtO1bWAOUiD6jDQmbS0w@mail.gmail.com> <8F02DADA-F86D-42B2-8835-9F1EAABBBAF6@strayalpha.com>
In-Reply-To: <8F02DADA-F86D-42B2-8835-9F1EAABBBAF6@strayalpha.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Sat, 26 Nov 2022 09:25:43 -0500
Message-ID: <CADZyTkkFEBEdKFYKqAmTKKg68xbmAH3yNH3_JJLpUUDYuhoKDQ@mail.gmail.com>
To: "touch@strayalpha.com" <touch@strayalpha.com>
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ad698a05ee606a1f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/i9WPXHCKnLFkNYqP_fSsFc8tUkc>
Subject: Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Nov 2022 14:25:58 -0000

Hi Joe,

So  we just published an update of our draft. We try to catch up the
complete idea in the introduction - to avoid reading the complete draft. I
think we partly aligned with the tunnel document. The current version only
describe the security gateway as a node and does not split it between a
outer and an interface. I think for the remaining of the document we are
taking the exact terminology from the tunnel draft.

We believe that IKEv2 and the tunnel document have different visions and
tried to highlight this also.

One big clarification in my point of view is that the previous version
confused MTU with MAP.

We are happy to get your feedback.

Yours,
Daniel

On Mon, Oct 31, 2022 at 5:32 PM touch@strayalpha.com <touch@strayalpha.com>
wrote:

> On Oct 31, 2022, at 11:07 AM, Daniel Migault <mglt.ietf@gmail.com> wrote:
>
>
> - the tunnel has two DIFFERENT relevant MTUs
>> the egress reassembly MTU (EMTU_R), which is the only thing that should
>> drive the “tunnel MTU”
>>
>> the tunnel MTU, which the ingress needs to know for source fragmentation,
>> but is NOT relevant to the
>> origin MTU upstream of the ingress
>>
>> Will read the draft - but we believe that is better to generate one IPsec
> packet for every inner IP packet as opposed to two. This is why we are
> proposing to adjust the MTU so the outer packet matches the limit of the
> EMTU_R - and fragmentation be avoided.
>
>
> That doc explains why this is effort isn’t useful. As I noted to Tero,
> there’s no ICMP message that says “bigger than I’d like”. PTB means
> “packets larger than this will be dropped”. That’s not what’s going on
> here, so it’s the wrong message to support.
>
> There is no message that supports what you’re trying to do - perhaps
> because there can’t and shouldn’t be.
>
> Joe
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email