IETF Logo Mail Archive

Re: [IPsec] PLMTUD probes for IPsec

Shibu <pshibunair@gmail.com> Thu, 10 May 2018 16:36 UTC

Return-Path: <pshibunair@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDDFB12D885 for <ipsec@ietfa.amsl.com>; Thu, 10 May 2018 09:36:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cUYp3rmAmkl3 for <ipsec@ietfa.amsl.com>; Thu, 10 May 2018 09:36:47 -0700 (PDT)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFA6012D881 for <ipsec@ietf.org>; Thu, 10 May 2018 09:36:47 -0700 (PDT)
Received: by mail-qk0-x233.google.com with SMTP id h19-v6so2040728qkj.10 for <ipsec@ietf.org>; Thu, 10 May 2018 09:36:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=aDAbsJ3t8YCKSSxpsaRiwK4G+pNkPpAVBvaogFo6YNM=; b=VMNHf1MzI/uPnCe5do9V4xM1PA8AlFWXK2QDhCsgGkzcle9W23lJHdjjrcxnjTccR+ q2brPs2qF8Jna2vnecasTa6X34ajFtge+xRULzzCAxOo2IcruwjzI/i+cDWi1f2cWkhD FlY29zwhOPh+84CFrrQ85CO6c9FHt5IHa9ywLXy5DeIb288v9tYG5QK5Edn1gttUSQrB NOPNJZK3xY641wV8TlA+376JNSCB7C4CG6AMRIUy5apkwxb8O/p45Fu46YLl2j+1im4z bln81ezr1GI1PUChIZtISvFqAxNJDxm4jHgxak9iSrm2sN2W2sNBScWT4wqhV21vvbIR XV/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=aDAbsJ3t8YCKSSxpsaRiwK4G+pNkPpAVBvaogFo6YNM=; b=tb9OaFtN2KQqNT62nIlQ6W7v12N9KoTe00RCMh+BiMDECDPOFENlRy6jqfMTSnzn5Z cfggRbL/gGUuf8GcgVfCa2d5fPfy6n0CCVJL9TuLCX2y1evvH5klNuGV67nrskax8FPP NZK7h7n7SeHEIvP/1jpWKl3eTCc89l9yuJZ4NtFRXiQy5+v86lGCtoLrbhzMgUmAK5qV 9le18cKeYI3xwwKKUElYLP6ywR/CdvEeWe+aN74ygNu/l7/CCHQaAWQbHZhPvxhBcnW6 CdQcSUZ3BXNtOiHopznCHWEwnyc+RgYt/Ne2AT2yEfG0Wa/S05NajSBYh1ygkH0gmZED tCmQ==
X-Gm-Message-State: ALKqPwe9OYsHfaE4MCR4oh80huzSm4xWlbOQrcoALLdwFe+y3lL6m9RX BV0pOBki0/SwmvlKx6FmisniLEh0ZrB68A4MXQ0=
X-Google-Smtp-Source: AB8JxZqRThXM7LXogWKByGfzEvWYI95RTtUli5BoqIdyljkBL9Hewjqv9dHrbZyqaQt/4ml+szRTl2WgP0hA8HEs/lw=
X-Received: by 2002:a37:7943:: with SMTP id u64-v6mr1885415qkc.13.1525970206853; Thu, 10 May 2018 09:36:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.212.13 with HTTP; Thu, 10 May 2018 09:36:46 -0700 (PDT)
In-Reply-To: <23248.26552.790605.595114@fireball.acr.fi>
References: <11057.1522877721@obiwan.sandelman.ca> <003c01d3ccd2$db7c20e0$927462a0$@gmail.com> <1172.1522940927@obiwan.sandelman.ca> <SN6PR05MB42409919A192C03F5CB747DAAEBB0@SN6PR05MB4240.namprd05.prod.outlook.com> <012601d3cd78$343cdd50$9cb697f0$@gmail.com> <SN6PR05MB42402E6C41084E7EA726E4D3AEBF0@SN6PR05MB4240.namprd05.prod.outlook.com> <02e401d3d099$281d2a10$78577e30$@gmail.com> <23244.38734.270422.683057@fireball.acr.fi> <SN6PR05MB42402A97DBD85768953E04AFAEBD0@SN6PR05MB4240.namprd05.prod.outlook.com> <23248.26552.790605.595114@fireball.acr.fi>
From: Shibu <pshibunair@gmail.com>
Date: Thu, 10 May 2018 22:06:46 +0530
Message-ID: <CAKw8uhjAXUEYB5z+_mQXKR63MJdXcU1o9DpXqP_LLfOrwBr0TQ@mail.gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
Cc: Ron Bonica <rbonica@juniper.net>, "ipsec@ietf.org" <ipsec@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, Valery Smyslov <smyslov.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000001e1021056bdca0e5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/oK_6ITrckIp2OwiivmoJOlYDnZM>
Subject: Re: [IPsec] PLMTUD probes for IPsec
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2018 16:36:50 -0000

Hello Tero and all,

We discussed internally among the authors and it looks there exist 3
choices - to do PMTUD  over IKE, or ESP or both. (Many reviewers have
already pointed out these at various stages, just collating them here).

PMTUD over IKE is needed anyways for large IKE cert payloads, so if we do
PMTUD over IKE,  we could depend upon the same discovered MTU value for ESP
paths as well as a guidance value. This seems to work for most of the
cases, and there seems to be interest in the group towards this option. So
this looks to be a good option overall, if we tackle IKEv2 window nuances
effectively.

However, one caveat with above approach is that there is an implicit
assumption that paths for control and data traffic  are same (i.e. IP
based, 3 tupple paths).
With SDWAN use cases (wherein paths could be orchestrated based on proto,
port, QoS, App ID etc), would it be a precise  assumption to make? How
would we handle these cases when the paths are build for ESP and IKE
differently?

Thanks,
Shibu.


On Fri, Apr 13, 2018 at 1:48 PM, Tero Kivinen <kivinen@iki.fi> wrote:

> Ron Bonica writes:
> > In 99.9% of cases you are probably correct. If there is an ECMP
> > between the encrypting node and the decrypting node, all ECMPs have
> > the same PMTU.
>
> Is it 99.9%, or 99.9999%?
>
> > And because this is true in such a vast majority of cases, none of
> > us have seen a situation where one ECMP has a larger PMTU than then
> > next.
>
> If none has not yet been seen it is much closer to 100% than 99.9%.
> Depending of course how many setups people have seen...
>
> > However, we still need to be prepared for that rare situation where
> > one ECMP does have a greater PMTU that the next. Although black
> > swans are rare, they bite very hard!
>
> There is also option to say that network is so broken that we fall
> back to IPsec over TCP, and in that case both ESP and IKE packets go
> inside same TCP stream and MTU discovery is done simlarly for both, so
> things work. I.e., that might be acceptable solution for those rare
> really broken cases.
> --
> kivinen@iki.fi
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

v2.23.0 | Report a Bug | By Email