Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
Daniel Migault <mglt.ietf@gmail.com> Mon, 31 October 2022 15:54 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C528C1524CF for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 08:54:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zOEZFh_PKzcE for <ipsec@ietfa.amsl.com>; Mon, 31 Oct 2022 08:54:05 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C92AC1524D3 for <ipsec@ietf.org>; Mon, 31 Oct 2022 08:54:05 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id q142so4016360iod.5 for <ipsec@ietf.org>; Mon, 31 Oct 2022 08:54:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TjyncXdO3tArjD6cKcy1qOXbluvybQKeXy2AaHNMC6U=; b=c+yHQEVoKgBDGeaWHH3J7n8RPqAPDTrJQsge5XfC+j7L9dvn10gAHuxMFfIMbd+Jn2 dLZ1P1lV3QraSYQlaXGKVAjP74XvkFH3t1KNGl4WeFeCKiZFDixcbRcGpxR7ofo2EXej G28zd5XXWo8j0pcnHLm5qLve178tDr1+Nv45amq2b+IoIlFEKg4aqqXm8JwOUGH7DZ2P 9nhq5AXuprfzwatGz/rk1fJmfi3RAUiFx7D+MSp2g38DkqcX8MyX8TChgNtnTS//wtNE KiGkLCs7FkGPmDBIBIRtatD52UIk5nwq2b2iPvHwGBUbnUBhnKs1nXHhLXFBPfx8ljZP vJgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TjyncXdO3tArjD6cKcy1qOXbluvybQKeXy2AaHNMC6U=; b=c10DMf5Yk/oMD9XLabotUTCkfHj81xl40Dnu3LOmxxEMsbDb/lyGvCD0cgsMLsxGhT ilgXwiFrpts+pHc4Vv8GD3vT+2ts20o/B2Phw8gc8eACyuIN8MTSY115OuYgdmdCZzxY P0b7P1sVxEJ8cQP5BuUmUSYjbtfXr+BfQACgCNsOifYktkaC/gihcgJkbcQngDF2nHcX fA+PzRsU+mPqX5bHeqIfq2Cj6FUq8nZ0/lT4u4Kmp4vNvinxAlBWwBWmdfqAWBEWPTcP OYyBMU4tZKPLmdgzg01XeU5z5si8c94eijAMAjLHAJtJVQFBuGnakMcqxIUS0inG1CQj sJWg==
X-Gm-Message-State: ACrzQf3J+ZFlXVNcKwAdYWAmezmxAK6GX6+7xG98lh5I1mTn7KXuCqtK KjBW1IkHDz2mqt8x/VRPpJStGOjoxMA8ApFg8KCh+L+UwU4=
X-Google-Smtp-Source: AMsMyM5endgEcDGJ5oHh3slR1Xf7ND+K9DWevPAyNuRAAf5xWSp3OoTrc6uiqmpKdxC9IA1OEZuahzLoaN42Ik22hGg=
X-Received: by 2002:a02:c64f:0:b0:375:513e:454d with SMTP id k15-20020a02c64f000000b00375513e454dmr4484303jan.242.1667231644297; Mon, 31 Oct 2022 08:54:04 -0700 (PDT)
MIME-Version: 1.0
References: <53B61B29-20F3-4DBD-962B-6F7CFCDEDEE6@strayalpha.com> <CADZyTknjaYshjZrY0-KcjMN_0bDUpx5RFvH=Hki4UpFs7jFTjQ@mail.gmail.com> <2FFA31D7-8E7D-48DB-A3BC-DDA3EB2ECCE2@strayalpha.com> <25439.44817.648153.317135@fireball.acr.fi> <BFCDB8B9-8386-47D3-B2EA-3679D63D353B@strayalpha.com>
In-Reply-To: <BFCDB8B9-8386-47D3-B2EA-3679D63D353B@strayalpha.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 31 Oct 2022 11:53:53 -0400
Message-ID: <CADZyTkkAH87urhD9E_3bE3K9=-Xcv7q0h-dC7RoDcs_fiYcACw@mail.gmail.com>
To: "touch@strayalpha.com" <touch@strayalpha.com>
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
Content-Type: multipart/alternative; boundary="000000000000eab0aa05ec569d09"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/tQ9Un7XROtqTbJ7VzkXV2pjUEpo>
Subject: Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect early TSVAREA review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2022 15:54:09 -0000
On Mon, Oct 31, 2022 at 11:25 AM touch@strayalpha.com <touch@strayalpha.com> wrote: > HI, Tero, et al,, > > Thanks for the clarification; I now understand that what you really are > seeking is PLPMTUD for IPsec, but somehow using on-path fragmentation as a > signal. That’s a mistake, IMO, largely because it serves only IPv4. > > My understanding is that IPv6 performs fragmentation at the source, in which case, the receiving gateway does not need to defragment. Our problem is only happening with IPv4 when an on-path router fragments and the receiving security gateway needs to re-fragment. We explicitly mention in the introduction that what we have is not a PLPMTUD for IPsec. Our understanding is that we are closer to ICMP-like than a PLPMTUD. Maybe a PLPMTUD can be built on top of it, but we would like to avoid taking that path for now. > To the authors, again please see intarea-tunnels. The terms used here are > ambiguous - “downstream” of a tunnel means traffic as it leaves the egress, > but “downstream’ of the ingress could mean either that or the tunnel path > itself (both are downstream). > > > On Oct 31, 2022, at 4:18 AM, Tero Kivinen <kivinen@iki.fi> wrote: > > > > touch@strayalpha.com writes: > >> In the best case scenario, the security gateway informs the source > node to > >> reduce the size of the inner packet with an ICP PTB packet for > example. > >> > >> How? It can’t send an ICMP because it doesn’t have *the* packet causing > the > >> problem to “reflect” back to the source. The ingress may not know who > the > >> source is (there may be thousands or millions of sources). So which > source? > > > > The normal case to do that is that IPsec SGW keeps track of the size > > of packets that are ok, and which are too big based on the information > > it receives. I.e., it might have received unsecured ICMP PTB message > > from the network for its own Child SA, but only knows the SPI of the > > Child SA, not who was the original sender. So it keeps track that for > > this SPI the ESP packets cannot be larger than xxx bytes. > > > > Next time it receives a packet from the source and when it is > > encrypting it, it will verify that it will fit the size set for that > > Child SA, and if it is too big, it will generate ICMP PTB for that > > specific packet. > > > > IPsec gateways have been doing that for years, and this has been > > described in the RFC4301 section 8.2.1. > > That would happen because the tunnel packet caused PTB. This case is > described in intarea-tunnels 4.3.2. The way in which IPsec gets it wrong > (IMO) is described in Section 4.3.1 and is related to RFC 3884, e.g., by > subsuming the functions of a router inside the IPsec mechanism, rather than > operating strictly as a tunnel, which should be represented as a link - and > *links do not send ICMP messages. > > What SHOULD happen in IPsec is that the SPI should have an MTU (being a > link) and the *router* where packets are forwarded into the tunnel should > determine when packets that want to enter that link are too big - at which > point, per RFC 1812, the *router* should be sending the ICMP. > > > My understanding is that this draft (which I have not yet properly > > read) is solving the situation where the tunnel does not get ICMP PTB > > messages as they are forwarding packets with DF bit set to 0, and then > > the receiving end will see extra fragmentation happening for the > > packets. Then the receiving end will simulate the ICMP PTB by sending > > authenticated IKEv2 notification that tells the sending end that his > > packets got fragmented. > > The only reason the packet would have been too big at the receiver is if > it were to exceed the receiver’s reassembly buffer. That’s not what’s > happening here. > > It seems like there’s confusion about the fact that the source can somehow > avoid fragmentation of the tunneled packets. That can’t happen - see > intarea-tunnels Sec 3.6.3. Source fragmentation can and must still occur. > The receiver should never send PTBs for 64-byte IPv4 packets (or 1280B > IPv6). > > Further, on-path fragmentation for IPv4 has been warned against (the > source has to rate-limit to avoid ID reuse during expected reordering, per > RFC 6864). > > > Now the sending end can do similar processing of this information that > > it does for unauthenticated ICMP PTB messages received for ESP > > packets. > > Receiving a fragment isn’t a PTB event, though, as noted above. > > > -- > > kivinen@iki.fi > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > -- Daniel Migault Ericsson
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Tero Kivinen
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Michael Richardson
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Michael Richardson
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Joe Touch
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Tero Kivinen
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… Daniel Migault
- Re: [IPsec] draft-liu-ipsecme-ikev2-mtu-dect earl… touch@strayalpha.com