IETF Logo Mail Archive

Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review

Daniel Migault <mglt.ietf@gmail.com> Mon, 31 October 2022 15:54 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C528C1524CF for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 08:54:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zOEZFh_PKzcE for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 08:54:05 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C92AC1524D3 for <ipsec@ietf.org>; Mon, 31 Oct 2022 08:54:05 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id q142so4016360iod.5 for <ipsec@ietf.org>; Mon, 31 Oct 2022 08:54:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TjyncXdO3tArjD6cKcy1qOXbluvybQKeXy2AaHNMC6U=; b=c+yHQEVoKgBDGeaWHH3J7n8RPqAPDTrJQsge5XfC+j7L9dvn10gAHuxMFfIMbd+Jn2 dLZ1P1lV3QraSYQlaXGKVAjP74XvkFH3t1KNGl4WeFeCKiZFDixcbRcGpxR7ofo2EXej G28zd5XXWo8j0pcnHLm5qLve178tDr1+Nv45amq2b+IoIlFEKg4aqqXm8JwOUGH7DZ2P 9nhq5AXuprfzwatGz/rk1fJmfi3RAUiFx7D+MSp2g38DkqcX8MyX8TChgNtnTS//wtNE KiGkLCs7FkGPmDBIBIRtatD52UIk5nwq2b2iPvHwGBUbnUBhnKs1nXHhLXFBPfx8ljZP vJgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TjyncXdO3tArjD6cKcy1qOXbluvybQKeXy2AaHNMC6U=; b=c10DMf5Yk/oMD9XLabotUTCkfHj81xl40Dnu3LOmxxEMsbDb/lyGvCD0cgsMLsxGhT ilgXwiFrpts+pHc4Vv8GD3vT+2ts20o/B2Phw8gc8eACyuIN8MTSY115OuYgdmdCZzxY P0b7P1sVxEJ8cQP5BuUmUSYjbtfXr+BfQACgCNsOifYktkaC/gihcgJkbcQngDF2nHcX fA+PzRsU+mPqX5bHeqIfq2Cj6FUq8nZ0/lT4u4Kmp4vNvinxAlBWwBWmdfqAWBEWPTcP OYyBMU4tZKPLmdgzg01XeU5z5si8c94eijAMAjLHAJtJVQFBuGnakMcqxIUS0inG1CQj sJWg==
X-Gm-Message-State: ACrzQf3J+ZFlXVNcKwAdYWAmezmxAK6GX6+7xG98lh5I1mTn7KXuCqtK KjBW1IkHDz2mqt8x/VRPpJStGOjoxMA8ApFg8KCh+L+UwU4=
X-Google-Smtp-Source: AMsMyM5endgEcDGJ5oHh3slR1Xf7ND+K9DWevPAyNuRAAf5xWSp3OoTrc6uiqmpKdxC9IA1OEZuahzLoaN42Ik22hGg=
X-Received: by 2002:a02:c64f:0:b0:375:513e:454d with SMTP id k15-20020a02c64f000000b00375513e454dmr4484303jan.242.1667231644297; Mon, 31 Oct 2022 08:54:04 -0700 (PDT)
MIME-Version: 1.0
References: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com> <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com> <2FFA31D7-8E7D-48DB-A3BC-DDA3EB2ECCE2@strayalpha.com> <25439.44817.648153.317135@fireball.acr.fi> <BFCDB8B9-8386-47D3-B2EA-3679D63D353B@strayalpha.com>
In-Reply-To: <BFCDB8B9-8386-47D3-B2EA-3679D63D353B@strayalpha.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 31 Oct 2022 11:53:53 -0400
Message-ID: <CADZyTkkAH87urhD9E_3bE3K9=-Xcv7q0h-dC7RoDcs_fiYcACw@mail.gmail.com>
To: "touch@strayalpha.com" <touch@strayalpha.com>
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
Content-Type: multipart/alternative; boundary="000000000000eab0aa05ec569d09"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/tQ9Un7XROtqTbJ7VzkXV2pjUEpo>
Subject: Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2022 15:54:09 -0000

On Mon, Oct 31, 2022 at 11:25 AM touch@strayalpha.com <touch@strayalpha.com>
wrote:

> HI, Tero, et al,,
>
> Thanks for the clarification; I now understand that what you really are
> seeking is PLPMTUD for IPsec, but somehow using on-path fragmentation as a
> signal. That’s a mistake, IMO, largely because it serves only IPv4.
>
> My understanding is that IPv6 performs fragmentation at the source, in
which case, the receiving gateway does not need to defragment.  Our problem
is only happening with IPv4 when an on-path router fragments and the
receiving security gateway needs to re-fragment.

We explicitly mention in the introduction that what we have is not a
PLPMTUD for IPsec. Our understanding is that we are closer to ICMP-like
than a PLPMTUD. Maybe a PLPMTUD can be built on top of it, but we would
like to avoid taking that path for now.


> To the authors, again please see intarea-tunnels. The terms used here are
> ambiguous - “downstream” of a tunnel means traffic as it leaves the egress,
> but “downstream’ of the ingress could mean either that or the tunnel path
> itself (both are downstream).
>
> > On Oct 31, 2022, at 4:18 AM, Tero Kivinen <kivinen@iki.fi> wrote:
> >
> > touch@strayalpha.com writes:
> >>    In the best case scenario, the security gateway informs the source
> node to
> >>    reduce the size of the inner packet with an ICP PTB packet for
> example.
> >>
> >> How? It can’t send an ICMP because it doesn’t have *the* packet causing
> the
> >> problem to “reflect” back to the source. The ingress may not know who
> the
> >> source is (there may be thousands or millions of sources). So which
> source?
> >
> > The normal case to do that is that IPsec SGW keeps track of the size
> > of packets that are ok, and which are too big based on the information
> > it receives. I.e., it might have received unsecured ICMP PTB message
> > from the network for its own Child SA, but only knows the SPI of the
> > Child SA, not who was the original sender. So it keeps track that for
> > this SPI the ESP packets cannot be larger than xxx bytes.
> >
> > Next time it receives a packet from the source and when it is
> > encrypting it, it will verify that it will fit the size set for that
> > Child SA, and if it is too big, it will generate ICMP PTB for that
> > specific packet.
> >
> > IPsec gateways have been doing that for years, and this has been
> > described in the RFC4301 section 8.2.1.
>
> That would happen because the tunnel packet caused PTB. This case is
> described in intarea-tunnels 4.3.2. The way in which IPsec gets it wrong
> (IMO) is described in Section 4.3.1 and is related to RFC 3884, e.g., by
> subsuming the functions of a router inside the IPsec mechanism, rather than
> operating strictly as a tunnel, which should be represented as a link - and
> *links do not send ICMP messages.
>
> What SHOULD happen in IPsec is that the SPI should have an MTU (being a
> link) and the *router* where packets are forwarded into the tunnel should
> determine when packets that want to enter that link are too big - at which
> point, per RFC 1812, the *router* should be sending the ICMP.
>
> > My understanding is that this draft (which I have not yet properly
> > read) is solving the situation where the tunnel does not get ICMP PTB
> > messages as they are forwarding packets with DF bit set to 0, and then
> > the receiving end will see extra fragmentation happening for the
> > packets. Then the receiving end will simulate the ICMP PTB by sending
> > authenticated IKEv2 notification that tells the sending end that his
> > packets got fragmented.
>
> The only reason the packet would have been too big at the receiver is if
> it were to exceed the receiver’s reassembly buffer. That’s not what’s
> happening here.
>
> It seems like there’s confusion about the fact that the source can somehow
> avoid fragmentation of the tunneled packets. That can’t happen - see
> intarea-tunnels Sec 3.6.3. Source fragmentation can and must still occur.
> The receiver should never send PTBs for 64-byte IPv4 packets (or 1280B
> IPv6).
>
> Further, on-path fragmentation for IPv4 has been warned against (the
> source has to rate-limit to avoid ID reuse during expected reordering, per
> RFC 6864).
>
> > Now the sending end can do similar processing of this information that
> > it does for unauthenticated ICMP PTB messages received for ESP
> > packets.
>
> Receiving a fragment isn’t a PTB event, though, as noted above.
>
> > --
> > kivinen@iki.fi
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
>
>

-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email