RE: Treatment of ICMP for PMTU
Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Thu, 28 June 2018 05:28 UTC
Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ECEB130E98 for <quic@ietfa.amsl.com>; Wed, 27 Jun 2018 22:28:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G38U_pMiw8QY for <quic@ietfa.amsl.com>; Wed, 27 Jun 2018 22:28:20 -0700 (PDT)
Received: from mail-it0-x243.google.com (mail-it0-x243.google.com [IPv6:2607:f8b0:4001:c0b::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10762130E10 for <quic@ietf.org>; Wed, 27 Jun 2018 22:28:20 -0700 (PDT)
Received: by mail-it0-x243.google.com with SMTP id l16-v6so9957810ita.0 for <quic@ietf.org>; Wed, 27 Jun 2018 22:28:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to; bh=ixnmXDgAtnIvrZfcL1u7co08t0LJin3dAU1VOeETApg=; b=AJyG/yO+usaLaH4UMcdyyNaRexAI2IFvHL6JhHogwOCpWVAvxzXFgnXxMmQwjPF1b9 tSa5Ej1XJjAwksiofPgxrjSRj7KGN2a0CDherBBuNR8TPaGS1vHoWhrWucUVYCr8zlIh 08r9rvRW3J0qxEB53uhIe5H3DhrfqQJymHd695Jw8rs60ZUKM3AmxoZc9czbxogXQGGN amJqwrMCwoBOZ3ckGGcGspp2cvnD9TfrqMCQOTviTT4wB7DY9/8RamZkaB4Xf1Rm8mFa HM+Q3KhykX5VLP0IIid0OLR58ZsUHDyQMu9kBCFwxGqYYTkGJYmtcWd9DV2jz2l3ook8 aTfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to; bh=ixnmXDgAtnIvrZfcL1u7co08t0LJin3dAU1VOeETApg=; b=ZD+rossucwsXCw6UWnLoqQlpc2rfuELjF2164I0LUA+NoopRZQBPFyx5LT0W2sYyvn jOjCKKwLDM9U0x6JKebb1h8Ml9woQZiOiAyFPjfzhfzaJydBnoBjb9O760xx87lWzksC DbK/sU2xb4p0uvQ2CnuHHqjzfDUbIPAe2uS4bTHycSqPNwk5h3k03v7ebEXeZ0NEh8Me WCdBvGmApE3zI4aycZC13vGaLWlbrw+6eE1KBKdYQ88X0Ca/4kg4O2/8xQeGgVPKIGJx IRK7D7AXgh21pZPMXt3CNUrjVkKFNE2D6Ia7heyojjcMi/D6wuUgkUrm2H98A9RC6tmJ zz0w==
X-Gm-Message-State: APt69E2WZETPbbfyMr0//l7mNytVpYCuoe+aRXd/LhYn7OEjU176cRSp CRjmQUP5TKKCSsVbinQLkbkQE04fFy6UdmZPxDo=
X-Google-Smtp-Source: AAOMgpdpS+R7dAYFGauV12ept8WzMz1Y/bTKJd66NECfsGAKhhTz16E0YrTIsVJ297e4gqqHuums7A4Qayv+84U/4eE=
X-Received: by 2002:a02:9833:: with SMTP id t48-v6mr7496378jaj.111.1530163699368; Wed, 27 Jun 2018 22:28:19 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Thu, 28 Jun 2018 01:28:18 -0400
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <7CF7F94CB496BF4FAB1676F375F9666A3BB5BA29@bgb01xud1012>
References: <924fbd75dbcf4d62a9062570b0d2ba5a@ustx2ex-dag1mb5.msg.corp.akamai.com> <7CF7F94CB496BF4FAB1676F375F9666A3BB5B9DC@bgb01xud1012> <2f0e251a9b274272968a8b3053d3a3a5@ustx2ex-dag1mb5.msg.corp.akamai.com> <7CF7F94CB496BF4FAB1676F375F9666A3BB5BA29@bgb01xud1012>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Thu, 28 Jun 2018 01:28:18 -0400
Message-ID: <CAN1APdf-AbpoMZ+FYZpa6H=DCv16Ef0ijkPa6fNSa2tA+obV7g@mail.gmail.com>
Subject: RE: Treatment of ICMP for PMTU
To: Lucas Pardue <lucas.pardue@bbc.co.uk>, IETF QUIC WG <quic@ietf.org>, Martin Duke <martin.h.duke@gmail.com>, "Lubashev, Igor" <ilubashe@akamai.com>
Content-Type: multipart/alternative; boundary="000000000000bfc80c056facffef"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/kqoUiucjip-b3zT6fPr3el0KQbU>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jun 2018 05:28:24 -0000
Wrt tunnelling, see also https://github.com/quicwg/base-drafts/issues/1209 which was unceremoniously shut down on the argument that a path below 1280 is not a QUIC path. I see a concrete use case for smaller PMTU’s: a high performance coordination node forwards packets to peer nodes for consensus. The consensus requires adding a signature on forwarding, but repackaging the packet is too slow and might go against the proof being made. Here PNE is also annoying. On tunneling QUIC in QUIC in QUIC streams: that would add HOL, enough to not make it QUIC. Mikkel On 28 June 2018 at 03.22.54, Lucas Pardue (lucas.pardue@bbc.co.uk) wrote: Hi Igor, The difference as I see it is, if we were to follow a model similar to how CONNECT is defined in the HTTP/QUIC mapping, then QUIC tunnels are assigned to different streams (tunnel-streams) within a single connection. Remaining streams are used for client-proxy communications (control streams, request/response etc) On such a tunnel-stream, if we follow the CONNECT model of encapsulation, the client sends/receives only QUIC packets. It is the proxy's job to read/write IP. This leads me to thinking that a proxy cannot return ICMP on the tunnel-stream, and any ICMP cannot be disambiguated. Or, perhaps I'm missing something here? Kind regards Lucas ________________________________________ From: Lubashev, Igor [ilubashe@akamai.com] Sent: 28 June 2018 00:09 To: Lucas Pardue; Martin Duke; IETF QUIC WG Subject: RE: Treatment of ICMP for PMTU Hi Lucas, How is this different from PMTUD in IP-in-IP case? The endpoint computes and caches PMTU per endpoint. PMTU for connections to proxy is kept separately from PMTUs for connections to endpoints that go via the proxy. The proxy itself can learn PMTU between itself and the endpoints, subtract the overhead, and send ICMP to the sender of the proxied QUIC flow. I see the common case of QUIC implementation not being able to make use of ICMP is when QUIC is implemented in userspace on a platform that does not expose ICMP to the application. QUIC’s desire to receive ICMP will likely cause vendors of such platforms to add the missing functionality. * Igor From: Lucas Pardue [mailto:Lucas.Pardue@bbc.co.uk] Sent: Wednesday, June 27, 2018 5:27 PM To: Lubashev, Igor <ilubashe@akamai.com>; Martin Duke < martin.h.duke@gmail.com>; IETF QUIC WG <quic@ietf.org> Subject: RE: Treatment of ICMP for PMTU Hi Igor, If we consider tunnelling of QUIC within QUIC by means of a proxy (not currently specced anywhere but feasible), the tunnelled (end-to-end) path MTU is likely to be smaller than the hop-by-hop path MTUs. It may not be possible for the proxies to pass on ICMP in a way that the the tunnelled QUIC implementation can access it. (D)PLPMTUD seems to fit this case nicely as there can be two or more PLPMTUD contexts/values (one for the connection to the proxy, one for each tunnel within this connection). Lucas ________________________________ From: QUIC [quic-bounces@ietf.org] on behalf of Lubashev, Igor [ilubashe= 40akamai.com@dmarc.ietf.org] Sent: 27 June 2018 21:36 To: Martin Duke; IETF QUIC WG Subject: Treatment of ICMP for PMTU I have a PR for treatment of ICMP for PMTU ( https://github.com/quicwg/base-drafts/pull/1412< https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_quicwg_base-2Ddrafts_pull_1412&d=DwMFIw&c=96ZbZZcaMF4w0F4jpN6LZg&r=Djn3bQ5uNJDPM_2skfL3rW1tzcIxyjUZdn_m55KPmlo&m=Z8Jztem09Whn8ur3u4CIXydQ2bFcxT7J8RP_5EIqqN0&s=GfFHhZ-IsLfWzrc3Dd83k__I6Golxxd3W2LduTHYc_I&e=>) Many thanks to those who gave me ample feedback (both substantive and editorial). I’ve tried to incorporate it all. There are two technical issues that @Martin Duke<mailto: martin.h.duke@gmail.com> and I believe deserve a broader discussion with the group. 1. Is processing ICMP signals (and, especially, ICMP Packet Too Big signal) a MAY or a SHOULD? In the WG draft, processing ICMP is a MAY, but implementing PLPMTUD (RFC4821) is a SHOULD. However, PLPMTUD claims itself to be an extension of ICMP-based PMTUD process. So it makes sense to me that if PLPMTUD is a SHOULD, then ICMP itself is a SHOULD. QUIC implementations w/o access to ICMP would not be able to implement the ICMP part, and this is ok albeit unfortunate; and this also points to SHOULD (skipping on MAY is not "unfortunate"). 1. What to do, when an IPv4 ICMP (w/o on-path proof) request a PMTU reduction (after handshake)? There are three main options: ignore it, reduce your PMTU estimate, do not reduce but send PLPMTUD probes. Since this is very likely a valid signal, I do not like to ignore in the common case. Hence, the proposal is to allow an immediate PMTU reduction to up to some M, where 1280 ≤ M ≤ 1500. Once the reduction takes place, the endpoint can use PLPMTUD recommendations to see if it can probe a larger PMTU. If this sounds reasonable, then the question is picking M. I picked 1392 rather arbitrarily (GRE over IPsec + a few MPLS labels). If the requested reduction is 1280 ≤ X < M, then the recommendation is not to reduce but send PLPMTUD probes. Does this make sense, or should we have M=1280 and simplify things? Note: for ICMP w/ on-path proof, I think it makes sense to allow a reduction in PMTU up to 1280. It is hard to forge these, and the benefit of the effort for the attacker is minimal (slightly lower efficiency of the transport). So it is less likely that we’ll see forged ICMP w/ on-path proof. Any feedback is very welcome. * Igor ----------------------------- http://www.bbc.co.uk This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -----------------------------
- RE: Treatment of ICMP for PMTU Lucas Pardue
- RE: Treatment of ICMP for PMTU Mikkel Fahnøe Jørgensen
- Re: Treatment of ICMP for PMTU Gorry (erg)
- Treatment of ICMP for PMTU Lubashev, Igor
- RE: Treatment of ICMP for PMTU Lubashev, Igor
- RE: Treatment of ICMP for PMTU Lucas Pardue
- RE: Treatment of ICMP for PMTU Lucas Pardue
- RE: Treatment of ICMP for PMTU Lucas Pardue
- RE: Treatment of ICMP for PMTU Lucas Pardue
- Re: Treatment of ICMP for PMTU Eggert, Lars
- RE: Treatment of ICMP for PMTU Lubashev, Igor
- RE: Treatment of ICMP for PMTU Mikkel Fahnøe Jørgensen
- RE: Treatment of ICMP for PMTU Mikkel Fahnøe Jørgensen
- Re: Treatment of ICMP for PMTU Gorry (erg)
- RE: Treatment of ICMP for PMTU Lubashev, Igor
- RE: Treatment of ICMP for PMTU Lubashev, Igor
- Re: Treatment of ICMP for PMTU joel jaeggli
- RE: Treatment of ICMP for PMTU Lubashev, Igor
- Re: Treatment of ICMP for PMTU Magnus Westerlund
- RE: Treatment of ICMP for PMTU Lubashev, Igor
- Re: Treatment of ICMP for PMTU Magnus Westerlund