IETF Logo Mail Archive

Re: [tcpm] PLPMTUD for all protocols

Toerless Eckert <tte@cs.fau.de> Fri, 30 March 2018 14:05 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27016127058 for <tcpm@ietfa.amsl.com>; Fri, 30 Mar 2018 07:05:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.961
X-Spam-Level:
X-Spam-Status: No, score=-3.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bu7TO6P5b_OP for <tcpm@ietfa.amsl.com>; Fri, 30 Mar 2018 07:05:01 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B47D0126DCA for <tcpm@ietf.org>; Fri, 30 Mar 2018 07:05:01 -0700 (PDT)
Received: from faui40p.informatik.uni-erlangen.de (faui40p.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:77]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 458F658C4C8; Fri, 30 Mar 2018 16:04:57 +0200 (CEST)
Received: by faui40p.informatik.uni-erlangen.de (Postfix, from userid 10463) id 2DD62B0DE9A; Fri, 30 Mar 2018 16:04:57 +0200 (CEST)
Date: Fri, 30 Mar 2018 16:04:57 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: William Herrin <bill@herrin.us>
Cc: Joe Touch <touch@strayalpha.com>, tcpm@ietf.org
Message-ID: <20180330140456.GH3590@faui40p.informatik.uni-erlangen.de>
References: <alpine.DEB.2.20.1803281034310.20609@uplift.swm.pp.se> <CAP-guGVEcnk09yi8sz+fmghpeb91Y8tQb+LsEmSF+0e+f6oGhw@mail.gmail.com> <alpine.DEB.2.20.1803281747020.20609@uplift.swm.pp.se> <B323BA47-32DF-498B-9D1F-5A378E7ABB98@strayalpha.com> <CAP-guGXfds60dwJXgnSYdbtQ-qOCJGpiw1kcYUkJR8L3jwsFSA@mail.gmail.com> <alpine.DEB.2.20.1803291727100.20609@uplift.swm.pp.se> <CAP-guGWhyS0UW9YwsQyA10iN_M=yc4H8NqKAgWH=zPBFhscJxQ@mail.gmail.com> <20180329174920.GV30215@faui40p.informatik.uni-erlangen.de> <CAP-guGVGp8k37b__hb6ve5V9h3QyYAivpA+X8iqJB_vskBnc=g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAP-guGVGp8k37b__hb6ve5V9h3QyYAivpA+X8iqJB_vskBnc=g@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/to9lMbyh-hU9UtvTlqNQbYr12f0>
Subject: Re: [tcpm] PLPMTUD for all protocols
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Mar 2018 14:05:04 -0000

William,

Thanks for making suggestions how the network can behave
better, no idea why i am starting to give up on that idea *sigh*

This part of the discussion would probably be better on v6ops@ietf.org

more inline.

On Fri, Mar 30, 2018 at 08:44:46AM -0400, William Herrin wrote:
> My thoughts run this direction:
> 
> 1. Recommend that router implementations "SHOULD" provide the option
> to generate ICMPv4 type 3 code 4 (fragmentation needed) messages and
> ICMPv6 type 2 (packet too big) messages from an address different than
> the source interface address. They Dan't today, creating lots of cases
> where the operator has to sacrifice PMTUD.

rfc1918/ULA on interfaces plus RPF later on ?
SP edge filtering of IF-address ranges ?
Any other known systematic reasons ?

Would be good to document systematic reasons to make sure suggested
workarounds can fix them.

The main problem iwth such a command is to make operators not forget
applying it. Or even having an address that would allow for the packet
to be passed back.

> 2. Recommend that firewall implementations "SHOULD NOT" filter ICMPv4
> type 3 code 4 (fragmentation needed) messages or ICMPv6 type 2 (packet
> too big) messages unless explicitly configured to do so. In other
> words, the instruction to filter all ICMP will not result in dropping
> fragmentation needed messages but the explicit instruction to drop
> fragmentation needed messages specifically will. Today's firewall
> tools make it too easy to accidentally kill PMTUD.

I am a lot more pessimistic of any form of IETF recommendation to
impact firewalls positively. At its core, most IETF design does not
even acknowledge the need for firewalls and has not designed network
services for their presence. I would also bet there are possible
attack vectors with ICMP fragmentation needed messages. And what else
does a fireall operator need to break something...

We can try of course. I think these days the way how you would be
achieve something like that is to define some YANG model that
contains the equivalent of such commands - You can make such a YANG
model standards track. CLI recommendations at best are BCP.

> Let's maximize the chance of PMTUD working as designed and then build
> something optimized for the residual cases where it still doesn't.
> 
> > Write rfc4821bis with recommendations for an additional,
> > simplified procedure dropping to 1280/576 and use most simple upspeeding
> > option ?
> 
> That is #3. And I'd like to be smart about fallback at the expense of
> efficiency in the black hole case. Send the 1280 packet. If it works,
> send another full size packet to confirm it still fails before
> accepting 1280 as the path mtu. If the 1280 and 576 packets don't work
> either, don't try the fallback again: it's not path mtu. Maybe the RFC
> is already smart about this; I didn't read closely enough.
> 
> 4. Go back to the ground truths and reconsider whether we have
> satisfactory information at layer 3 to make reliable decisions about
> path mtu. Because of the fate sharing issue, I think PMTUD wants to be
> a layer 4 problem implemented independently in each layer 4 protocol
> with layer 3 offering hints from ICMP when available. Maybe this is
> something that should be kicked over to the IRTF for investigation.

Sure, you can bring the problem to PANRG.

The main issue is that cool new solutions will not fix broken old
equipment, so most efforts we seem to spend in IETF are about
workarounds for that broken old equipment (points 1..3).

And every time you try to
do something new & better, you get hammered down by IETF with
"oh, this will take a decade to see any adoption, go away". 

> Regards,
> Bill Herrin
> 
> 
> -- 
> William Herrin ................ herrin@dirtside.com  bill@herrin.us
> Dirtside Systems ......... Web: <http://www.dirtside.com/>
> 
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm

-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email