IETF Logo Mail Archive

Re: Manual PMTUD [was ...rfc2460bis-08]

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 19 March 2017 18:39 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3C08128D19 for <ipv6@ietfa.amsl.com>; Sun, 19 Mar 2017 11:39:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wANjMJjmLcrA for <ipv6@ietfa.amsl.com>; Sun, 19 Mar 2017 11:39:28 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A97F120326 for <ipv6@ietf.org>; Sun, 19 Mar 2017 11:39:28 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id B99C6E239; Sun, 19 Mar 2017 15:02:47 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 00F0A636BB; Sun, 19 Mar 2017 14:39:26 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
cc: 6man WG <ipv6@ietf.org>
Subject: Re: Manual PMTUD [was ...rfc2460bis-08]
In-Reply-To: <0e628656-f8b2-effb-9f93-2efe6b0ee4c5@gmail.com>
References: <599257D7-532D-4512-929B-D124623EAF35@ericsson.com> <37ED3E78-B23A-4D29-8597-5A63236129B1@cisco.com> <887bd0f0-32a5-56f1-9ac9-703ecb97a760@gmail.com> <80D8FFF0-2674-48A7-A935-11681F5C5A4D@jisc.ac.uk> <A67E1C07-282B-4422-A2FF-86F6CACBD775@cable.comcast.com> <ab7c95a5-9776-24b5-7c26-4c5987d4c948@isi.edu> <ed2f5144-52fb-dda5-1fb4-62be1625b341@gmail.com> <401F52B1-3D41-4174-9425-50571B2D0B9E@jisc.ac.uk> <6d51de4b-3a9d-0f34-1cd2-5bb30caed75e@gmail.com> <DE16D91D-AE7B-4D3C-B8EA-0CB644FB96BD@cable.comcast.com> <CA+b+ER=6dXLiwvLJa84uvpVeH0daGnZ-06P16JD0UutTrbUYyA@mail.gmail.com> <2a808465-58c9-1d5e-700b-f04043b33c1c@gmail.com> <32305.1489937663@obiwan.sandelman.ca> <0e628656-f8b2-effb-9f93-2efe6b0ee4c5@gmail.com>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sun, 19 Mar 2017 14:39:26 -0400
Message-ID: <11502.1489948766@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/hvRc9Kyot47PB25pxqRXqwq5OOQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Mar 2017 18:39:31 -0000

Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
    >> My claim is that (3) is irrelevant, IPsec AH has sadly (very very
    >> sadly from my point of view) failed.

    > Yes. But if you want to leave the way clear for defining a non-failing
    > alternative to AH, we would need inserted headers to be excluded from
    > AHng, which means some new design, I think.

The failure of AH across the Internet has nothing to do with the AH construct
itself.   It has to do with the failure to establish any kind of useable
Internet-wide trust infrastructure anchored in ownership of IP addresses.

You can't use AH to secure interesting headers across the Internet if you
can't establish trust to do the key management.

{IPsec ESP is equally a failure for Internet-wide usage, except that it is
useful for VPNs and Remote access scenarios in which trust can be established
in the small}

Given that the alternative to header insertion is IPIP insertion, if one
wants to protect headers, one can often use ESP equally well.  The one
advantage of AH was that one was sure that the stuff inside (after) the AH
is unencrypted.  This matters to firewalls and other auditing devices that
wish to validate a flow, but not interfere with one.

    >> The PMTUD argument would be persuasive for me if PMTUD via ICMP really
    >> worked. My experience is that there are just way many problems.
    >> PLPMTUD has been the only way I've gotten IPv6 over IPsec tunnels
    >> (where there is an MTU constriction) to work consistently, and I had
    >> argued that 2460bis should standardize this rather than PMTUD.

    > Right, but my understanding is that packets that grow in transit would
    > break PLPMTUD as well (at least temporarily).

Correct, but a path change also can cause such a thing, as can a lot of other
things.

    >> As for point (4), I think that we have a general problem here
    >> regardless of insertion.  It would be nice to come up with some
    >> solutions to the problems of insertion, noting that insertion is just
    >> something that shines light on a fundamental problem.

    > Well, ICMP misrouting is kind of intrinsic in a connectionless datagram
    > network with "transparent" middleboxes that mess with packets. I think
    > you could spend the rest of your life failing to fix that.

My point is that we need tools that let us investigate problems that occur in
the middle of the network.  Particularly, in the middle of other people's
networks.   For instance, there are (have been?) bugs in some ECMP solutions
that basically kill any TCP connection that lasts longer a few minutes.
Nobody using HTTP ever notices...

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email