Re: Manual PMTUD [was ...rfc2460bis-08]
Michael Richardson <mcr+ietf@sandelman.ca> Sun, 19 March 2017 18:39 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3C08128D19 for <ipv6@ietfa.amsl.com>; Sun, 19 Mar 2017 11:39:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wANjMJjmLcrA for <ipv6@ietfa.amsl.com>; Sun, 19 Mar 2017 11:39:28 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A97F120326 for <ipv6@ietf.org>; Sun, 19 Mar 2017 11:39:28 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id B99C6E239; Sun, 19 Mar 2017 15:02:47 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 00F0A636BB; Sun, 19 Mar 2017 14:39:26 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
cc: 6man WG <ipv6@ietf.org>
Subject: Re: Manual PMTUD [was ...rfc2460bis-08]
In-Reply-To: <0e628656-f8b2-effb-9f93-2efe6b0ee4c5@gmail.com>
References: <599257D7-532D-4512-929B-D124623EAF35@ericsson.com> <37ED3E78-B23A-4D29-8597-5A63236129B1@cisco.com> <887bd0f0-32a5-56f1-9ac9-703ecb97a760@gmail.com> <80D8FFF0-2674-48A7-A935-11681F5C5A4D@jisc.ac.uk> <A67E1C07-282B-4422-A2FF-86F6CACBD775@cable.comcast.com> <ab7c95a5-9776-24b5-7c26-4c5987d4c948@isi.edu> <ed2f5144-52fb-dda5-1fb4-62be1625b341@gmail.com> <401F52B1-3D41-4174-9425-50571B2D0B9E@jisc.ac.uk> <6d51de4b-3a9d-0f34-1cd2-5bb30caed75e@gmail.com> <DE16D91D-AE7B-4D3C-B8EA-0CB644FB96BD@cable.comcast.com> <CA+b+ER=6dXLiwvLJa84uvpVeH0daGnZ-06P16JD0UutTrbUYyA@mail.gmail.com> <2a808465-58c9-1d5e-700b-f04043b33c1c@gmail.com> <32305.1489937663@obiwan.sandelman.ca> <0e628656-f8b2-effb-9f93-2efe6b0ee4c5@gmail.com>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sun, 19 Mar 2017 14:39:26 -0400
Message-ID: <11502.1489948766@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/hvRc9Kyot47PB25pxqRXqwq5OOQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Mar 2017 18:39:31 -0000
Brian E Carpenter <brian.e.carpenter@gmail.com> wrote: >> My claim is that (3) is irrelevant, IPsec AH has sadly (very very >> sadly from my point of view) failed. > Yes. But if you want to leave the way clear for defining a non-failing > alternative to AH, we would need inserted headers to be excluded from > AHng, which means some new design, I think. The failure of AH across the Internet has nothing to do with the AH construct itself. It has to do with the failure to establish any kind of useable Internet-wide trust infrastructure anchored in ownership of IP addresses. You can't use AH to secure interesting headers across the Internet if you can't establish trust to do the key management. {IPsec ESP is equally a failure for Internet-wide usage, except that it is useful for VPNs and Remote access scenarios in which trust can be established in the small} Given that the alternative to header insertion is IPIP insertion, if one wants to protect headers, one can often use ESP equally well. The one advantage of AH was that one was sure that the stuff inside (after) the AH is unencrypted. This matters to firewalls and other auditing devices that wish to validate a flow, but not interfere with one. >> The PMTUD argument would be persuasive for me if PMTUD via ICMP really >> worked. My experience is that there are just way many problems. >> PLPMTUD has been the only way I've gotten IPv6 over IPsec tunnels >> (where there is an MTU constriction) to work consistently, and I had >> argued that 2460bis should standardize this rather than PMTUD. > Right, but my understanding is that packets that grow in transit would > break PLPMTUD as well (at least temporarily). Correct, but a path change also can cause such a thing, as can a lot of other things. >> As for point (4), I think that we have a general problem here >> regardless of insertion. It would be nice to come up with some >> solutions to the problems of insertion, noting that insertion is just >> something that shines light on a fundamental problem. > Well, ICMP misrouting is kind of intrinsic in a connectionless datagram > network with "transparent" middleboxes that mess with packets. I think > you could spend the rest of your life failing to fix that. My point is that we need tools that let us investigate problems that occur in the middle of the network. Particularly, in the middle of other people's networks. For instance, there are (have been?) bugs in some ECMP solutions that basically kill any TCP connection that lasts longer a few minutes. Nobody using HTTP ever notices... -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- IETF Last Call conclusion for draft-ietf-6man-rfc… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Stefano Previdi (sprevidi)
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- Re: IETF Last Call conclusion for draft-ietf-6man… Leddy, John
- Re: IETF Last Call conclusion for draft-ietf-6man… 神明達哉
- Re: IETF Last Call conclusion for draft-ietf-6man… Voyer, Daniel
- Re: IETF Last Call conclusion for draft-ietf-6man… Joe Touch
- Re: IETF Last Call conclusion for draft-ietf-6man… Joe Touch
- Re: IETF Last Call conclusion for draft-ietf-6man… Fernando Gont
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Joe Touch
- Re: IETF Last Call conclusion for draft-ietf-6man… Mark Smith
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- Re: IETF Last Call conclusion for draft-ietf-6man… Xing Li
- Re: IETF Last Call conclusion for draft-ietf-6man… otroan
- Re: IETF Last Call conclusion for draft-ietf-6man… Stewart Bryant
- Re: IETF Last Call conclusion for draft-ietf-6man… Leddy, John
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Manual PMTUD [was ...rfc2460bis-08] Brian E Carpenter
- Re: Manual PMTUD [was ...rfc2460bis-08] Robert Raszuk
- Re: Manual PMTUD [was ...rfc2460bis-08] Brian E Carpenter
- Re: Manual PMTUD [was ...rfc2460bis-08] Mark Smith
- Re: Manual PMTUD [was ...rfc2460bis-08] Robert Raszuk
- Re: Manual PMTUD [was ...rfc2460bis-08] Brian E Carpenter
- Re: Manual PMTUD [was ...rfc2460bis-08] Timothy Winters
- Re: Manual PMTUD [was ...rfc2460bis-08] Michael Richardson
- Re: Manual PMTUD [was ...rfc2460bis-08] Brian E Carpenter
- Re: Manual PMTUD [was ...rfc2460bis-08] Joel M. Halpern
- Re: Manual PMTUD [was ...rfc2460bis-08] Michael Richardson
- Re: Failure of AH (was: Manual PMTUD [was ...rfc2… Christian Huitema
- Re: Failure of AH (was: Manual PMTUD [was ...rfc2… Michael Richardson
- Re: Failure of AH Brian E Carpenter
- Re: Failure of AH Michael Richardson
- Re: IETF Last Call conclusion for draft-ietf-6man… Leddy, John
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- Re: IETF Last Call conclusion for draft-ietf-6man… Mark Townsley
- Re: IETF Last Call conclusion for draft-ietf-6man… Mark Townsley
- Re: IETF Last Call conclusion for draft-ietf-6man… Leddy, John
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Jeff Tantsura
- Re: IETF Last Call conclusion for draft-ietf-6man… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- RE: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- RE: IETF Last Call conclusion for draft-ietf-6man… Ackermann, Michael
- Re: IETF Last Call conclusion for draft-ietf-6man… 神明達哉
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- Re: IETF Last Call conclusion for draft-ietf-6man… Mark Smith
- RE: IETF Last Call conclusion for draft-ietf-6man… Ackermann, Michael
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… otroan
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… otroan
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- Re: IETF Last Call conclusion for draft-ietf-6man… Jen Linkova
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Jen Linkova
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Tim Chown
- RE: IETF Last Call conclusion for draft-ietf-6man… Ackermann, Michael
- Re: IETF Last Call conclusion for draft-ietf-6man… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Martin Rex
- Re: IETF Last Call conclusion for draft-ietf-6man… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Fernando Gont
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Suresh Krishnan
- Re: IETF Last Call conclusion for draft-ietf-6man… Robert Raszuk
- Re: IETF Last Call conclusion for draft-ietf-6man… Brian E Carpenter
- Re: IETF Last Call conclusion for draft-ietf-6man… Bob Hinden