IETF Logo Mail Archive

Re: [pmtud] Improvement for the current PMTUD mechanism

John Heffner <jheffner@psc.edu> Fri, 30 September 2005 20:33 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELRZ0-0007PU-24; Fri, 30 Sep 2005 16:33:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELRYz-0007MQ-9N for pmtud@megatron.ietf.org; Fri, 30 Sep 2005 16:33:01 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA17087 for <pmtud@ietf.org>; Fri, 30 Sep 2005 16:32:59 -0400 (EDT)
Received: from mailer2.psc.edu ([128.182.66.106]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ELRgt-0005LB-3b for pmtud@ietf.org; Fri, 30 Sep 2005 16:41:13 -0400
Received: from dexter.psc.edu (dexter.psc.edu [128.182.61.232]) by mailer2.psc.edu (8.13.4/8.13.3) with ESMTP id j8UKWTkT022555 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 30 Sep 2005 16:32:29 -0400 (EDT)
Received: from localhost (dexter.psc.edu [128.182.61.232]) by dexter.psc.edu (8.12.11/8.12.10) with ESMTP id j8UKWTkr005060; Fri, 30 Sep 2005 16:32:29 -0400
From: John Heffner <jheffner@psc.edu>
Organization: PSC
To: Fernando Gont <fernando@gont.com.ar>
Subject: Re: [pmtud] Improvement for the current PMTUD mechanism
Date: Fri, 30 Sep 2005 16:31:52 -0400
User-Agent: KMail/1.8.1
References: <6.2.0.14.0.20050905131637.039f4138@pop3.frh.utn.edu.ar>
In-Reply-To: <6.2.0.14.0.20050905131637.039f4138@pop3.frh.utn.edu.ar>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-Id: <200509301631.52736.jheffner@psc.edu>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d185fa790257f526fedfd5d01ed9c976
Content-Transfer-Encoding: quoted-printable
Cc: pmtud@ietf.org
X-BeenThere: pmtud@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Path Maximum Transmission Unit Discovery <pmtud.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/pmtud>, <mailto:pmtud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/pmtud>
List-Post: <mailto:pmtud@ietf.org>
List-Help: <mailto:pmtud-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/pmtud>, <mailto:pmtud-request@ietf.org?subject=subscribe>
Sender: pmtud-bounces@ietf.org
Errors-To: pmtud-bounces@ietf.org

Fernando,

I've read over the PMTUD-related section of your draft.  Here are a few
comments.

One thing to consider is the case where one flow is traversing multiple paths
concurrently.  In the algorithm you describe, in this case it's likely a host
will ignore the ICMP PTB messages since it can still make progress, but
ignoring them is clearly the wrong thing to do and will drastically hurt
performance.  You may consider incorrect operation in this case worth the
trade-off, but it should at least be explicitly documented.

It might be a good idea to add some text about layering issues. Classic PMTUD
occurs at both the IP and TCP layers.  In implementations with which I'm
familiar, the ICMP message is processed by the IP layer, updating the pmtu in
the route cache, then the message is demuxed and passed down to TCP, which
updates is MSS and retransmits the packet.  To implement these the algorithm you
describe, you'll need the ability for TCP to be able to "override" the IP
layer's idea of the pmtu.  We have similar constraints for MTU probing, and
we're addressing this issue more directly in the next revision of
draft-ietf-pmtud-method.

One small suggestion is that it might be natural to use "R1" from RFC 1122
instead of specifying the new variable MAXSEGRTO.  This variable indicates
how long to wait before deciding the connection is making no progress.  This
may be what you're looking for, or possibly not.  But reusing an existing
variable does make implementation easier. :)

Thanks,
  -John


On Monday 05 September 2005 12:24 pm, Fernando Gont wrote:
> Folks,
>
> Since August 2004 I have been woeking on an internet-draft on ICMP attacks
> against TCP. One of the attacks the draft addresses is a "blind
> performance-degrading attack" in which the traditional PMTUD is exploited
> to reduce the size of the packets used for a given connection.
>
> We (me, and the community, including "traditional" vendors, open source
> ones, etc.) have been able to work out an improvement to the current PMTUD,
> to mitigate its security implications.
>
> The fix just tries to address that. By no means is it an alternative to
> PLPMTUD. For instance, it does not address ICMP blackholes.
>
> I'd like to get feedback from this WG on the PMTUD fix. I think the
> proposed mechanism could be used in some broader PMTUD such as PLPMTUD, so
> that ICMP can be used without the security implications of the traditional
> PMTUD, and thus the same convergnece time than the tradtional PMTUD could
> be achieved.
>
> The draft will soon be available from the internet-drafts public
> repository. In the mean time, you can access it through my web site:
> http://www.gont.com.ar/drafts/draft-gont-tcpm-icmp-attacks-04.txt
> (http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html)
>
> Kindest regards,
>
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@acm.org
>
>
>
>
>
>
> _______________________________________________
> pmtud mailing list
> pmtud@ietf.org
> https://www1.ietf.org/mailman/listinfo/pmtud

_______________________________________________
pmtud mailing list
pmtud@ietf.org
https://www1.ietf.org/mailman/listinfo/pmtud

v2.23.0 | Report a Bug | By Email