[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PMTU/DF issues



Hi Norm,

>>Seems to me that if the interface and next-hop gateway are different
>>for the ultimate destination and for the tunnel end, then the tunnel
>>end is not a security gateway.

	You're right that the tunnel end (security gateway) is highly
	likely to be on the regular path to the ultimate destination.
	But there could also be more than one path to the destination,
	e.g., the host could be at an organization with 2 firewalls.
	And the path being used could involve the less commonly chosen
	firewall.

> ****************************************************************************
> 
> 3. Path MTU Discovery -- As mentioned earlier, "ICMP PMTU" refers to an
>    ICMP message used for Path MTU Discovery.  
> 
> A. The amount of information returned with the ICMP message is limited
>    and this affects what selectors are available to identify security
>    associations, originating hosts, etc. for use in further propagating
>    the PMTU information.  
> 
>    The destination security gateway and SPI uniquely define a security
>    association which in turn defines a set of possible originating
>    hosts.  At this point, SG1 could:
>    a. send the PMTU information to all the possible originating hosts.
>       This would not work well if the host list is a wild card or if
>       many/most of the hosts weren't sending to SG1; but it might work
>       if the SPI/destination/etc mapped to just one host.

>>Seems to me that if a host wasn't sending to SG1 then it's not an
>>intended recipient of this PMTU information.
>>
>>Am I missing something here?


	        H1   ===================           H3
	          \  |                 |          /
	      H0 -- SG1* ---- R1 ---- SG2* ---- R2 -- H5
	          /  ^        |                   \
	        H2   |........|                    H4

	Assuming I understand your point, you're correct....  Suppose
	that the security policy for SG1 is to use a single SA to SG2
	for all the traffic between hosts H0, H1, and H2 and hosts H3,
	H4, and H5.  Then suppose H0 sends traffic to H5 that causes R1
	to send an ICMP PMTU message to SG1.  If the PMTU message has
	only the SPI, SG1 will be able to look up the SA and find the
	list of possible hosts (H0, H1, H2); but SG1 will have no way to
	figure out that H0 sent the traffic that triggered the ICMP PMTU
	message.  At this point, SG1 has the two choices outlined
	previously:
		a) send the PMTU information to all 3 hosts.  As you
		   observed, H1 and H2 aren't the intended recipients
		   for the PMTU information and won't know what to do
		   with it.
		b) hold the PMTU information until another too-big
		   packet arrives and then use that packet and the PMTU
		   information to construct a ICMP PMTU for the
		   originating host (H0).

Karen