IETF Logo Mail Archive

Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review

"touch@strayalpha.com" <touch@strayalpha.com> Sun, 08 January 2023 16:45 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20D18C14F719 for <ipsec@ietfa.amsl.com>; Sun, 8 Jan 2023 08:45:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.315
X-Spam-Level:
X-Spam-Status: No, score=-1.315 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27G10xAEnZ1A for <ipsec@ietfa.amsl.com>; Sun, 8 Jan 2023 08:45:42 -0800 (PST)
Received: from server217-2.web-hosting.com (server217-2.web-hosting.com [198.54.115.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 109D6C14F692 for <ipsec@ietf.org>; Sun, 8 Jan 2023 08:45:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=zlmChJ2u3WR78H1eq8TDcDTOCwl1xIkKA13CbeOaChg=; b=Z49k5f5K7Rsp/C3ipVk4CrRHMD yzPJscOOrkd9JC18xMtGTGrxGELPThVTLi19VSkmKXD7NnHgEmVuDN5PklEnR1BBYbL+/yR3fA/iM KyeYmcFD4WyAHzHz46bwsxLeVPHhB+vlz3HVlUKrlqhjnFoz+51qHpV64eoXFAzNDgD+YJMY5Hwl2 tGA4CXrk7OzV+gim9dllWQcpqcWbI8eFZKNn3ye4AgnIpFZHfSoQqH7XJFaeUt0pXXhLQrQiVBs8A uXXFh5pfDVs0WLjLHG0Y//yZo2newtiBeybGnT1/cteZEIf9hXkl85AM4ccAhmCjfk/wyioIns0nn kYrWIBKQ==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:49944 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <touch@strayalpha.com>) id 1pEYnb-007Lzn-Uw; Sun, 08 Jan 2023 11:45:36 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_10290117-D908-4A4C-8D10-2DBE2C0B117F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.300.101.1.3\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <CADZyTkmf1UYVJ+wJ4DSbYygrpDfU2UyQ7Xq_RZ=C4LQMsy_22Q@mail.gmail.com>
Date: Sun, 08 Jan 2023 08:45:20 -0800
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
Message-Id: <A8146A62-ED80-4D82-AF26-99DC3392DA12@strayalpha.com>
References: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com> <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com> <2FFA31D7-8E7D-48DB-A3BC-DDA3EB2ECCE2@strayalpha.com> <25439.44817.648153.317135@fireball.acr.fi> <BFCDB8B9-8386-47D3-B2EA-3679D63D353B@strayalpha.com> <CADZyTkkAH87urhD9E_3bE3K9=-Xcv7q0h-dC7RoDcs_fiYcACw@mail.gmail.com> <231766BD-0511-4C8E-AC75-5DBCB58105C5@strayalpha.com> <CADZyTk=qYNqX+oyUKxn5AV-0UmkwQLqtO1bWAOUiD6jDQmbS0w@mail.gmail.com> <8F02DADA-F86D-42B2-8835-9F1EAABBBAF6@strayalpha.com> <CADZyTkkFEBEdKFYKqAmTKKg68xbmAH3yNH3_JJLpUUDYuhoKDQ@mail.gmail.com> <CADZyTkmf1UYVJ+wJ4DSbYygrpDfU2UyQ7Xq_RZ=C4LQMsy_22Q@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
X-Mailer: Apple Mail (2.3731.300.101.1.3)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/o8J8peLaZmllvdm12X12h5H-kWs>
Subject: Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jan 2023 16:45:46 -0000

Hi, Daniel,

The abstract clearly states a goal that is not achievable (of avoiding reassembly). The best way to avoid the impact of mid-tunnel fragmentation is to use IPv4 as a tunnel header the way that IPv6 would be - with DF=1. However, even so, the egress always needs to handle reasssembly as long as there is even source fragmentation.

I appreciate what you WANT to do - but again, it is not possible. You have two behaviors - either use inner fragmentation (which won’t work for transit traffic where IPv4 DF=1 or any IPv6) or reduce the tunnel MTU.

But the tunnel MTU is defined by EMTU_R of the tunnel egress, not EMTU_S of the tunnel ingress. If you reduce the tunnel MTU, you’re just going to end up black-holing packets arriving at the tunnel ingress.

Two important points: the tunnel ingress is NOT the one that should ever send PTB back; that’s the job of the router where/if that tunnel ingress resides; second, you cannot claim to get around an ICMP black hole situation by creating a new ICMP black hole situation.

The rest of the document is rife with further errors, e.g.:

The last sentence of the abstract is incomprehensible. 

In the intro, the claims about IPv4 ID are incorrect. As noted in RFC6864, speed is not the issue but rather the expected reordering. Additionally, there’s already a timeout, so there is no requirement for indefinitely kept state. Further, given source fragmentation, such issues are irrelevant.

DF=1 leads to black holing ONLY in the absence of PLPMTUD, which is the appropriate solution for IPsec tunnels anyway. Note that even if DF=0, black-holing could still occur if the Tunnel Transit packet exceeds the tunnel egress EMTU_R.

Joe

—
Dr. Joe Touch, temporal epistemologist
www.strayalpha.com

> On Jan 4, 2023, at 7:21 PM, Daniel Migault <mglt.ietf@gmail.com> wrote:
> 
> Hi Joe, 
> 
> We are waiting for your feedback, but I just want to check we have the same understanding and that we will have a feed back.
>   
> We would like to understand if the terminology used in the document is aligned with the one of intarea-tunnels and if we agree that intarea-tunnels and IPsec have different perspectives on handling fragmentation. I do not see what we are proposing very different from what IPsec has been doing for years.  
> 
> I also think that everything is explained in the introduction (2 text pages), so you do not have to read the full document. The document is available here:
> https://datatracker.ietf.org/doc/draft-liu-ipsecme-ikev2-mtu-dect/
> 
> Yours, 
> Daniel
> 
> On Sat, Nov 26, 2022 at 9:25 AM Daniel Migault <mglt.ietf@gmail.com <mailto:mglt.ietf@gmail.com>> wrote:
>> Hi Joe, 
>> 
>> So  we just published an update of our draft. We try to catch up the complete idea in the introduction - to avoid reading the complete draft. I think we partly aligned with the tunnel document. The current version only describe the security gateway as a node and does not split it between a outer and an interface. I think for the remaining of the document we are taking the exact terminology from the tunnel draft.
>> 
>> We believe that IKEv2 and the tunnel document have different visions and tried to highlight this also. 
>> 
>> One big clarification in my point of view is that the previous version confused MTU with MAP. 
>> 
>> We are happy to get your feedback. 
>> 
>> Yours, 
>> Daniel
>> 
>> On Mon, Oct 31, 2022 at 5:32 PM touch@strayalpha.com <mailto:touch@strayalpha.com> <touch@strayalpha.com <mailto:touch@strayalpha.com>> wrote:
>>> On Oct 31, 2022, at 11:07 AM, Daniel Migault <mglt.ietf@gmail.com <mailto:mglt.ietf@gmail.com>> wrote:
>>>> 
>>>>> 	- the tunnel has two DIFFERENT relevant MTUs
>>>>> 		the egress reassembly MTU (EMTU_R), which is the only thing that should drive the “tunnel MTU”
>>>>> 
>>>>> 		the tunnel MTU, which the ingress needs to know for source fragmentation, but is NOT relevant to the
>>>>> 		origin MTU upstream of the ingress
>>>>> 
>>>> Will read the draft - but we believe that is better to generate one IPsec packet for every inner IP packet as opposed to two. This is why we are proposing to adjust the MTU so the outer packet matches the limit of the EMTU_R - and fragmentation be avoided.
>>> 
>>> That doc explains why this is effort isn’t useful. As I noted to Tero, there’s no ICMP message that says “bigger than I’d like”. PTB means “packets larger than this will be dropped”. That’s not what’s going on here, so it’s the wrong message to support.
>>> 
>>> There is no message that supports what you’re trying to do - perhaps because there can’t and shouldn’t be.
>>> 
>>> Joe
>> 
>> 
>> -- 
>> Daniel Migault
>> Ericsson
> 
> 
> -- 
> Daniel Migault
> Ericsson
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email