[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec and Fragmentation



Karen Heron writes:
> > Path MTU discovery is a required feature of any compliant IPsec
> > implementation.  While PMTU discovery doesn't "fix the problem", it
> > permits originating hosts (be they secured or not) to deflate their MTUs
> > according to the actually observed MTU in the pathway.
> 
> > We calculate an MTU by subtracting IPsec header/trailer expansion octets
> > from the known MTU of the path.  (It was a "bug" in our implementation
> > until I was charged with implementing PMTU discovery in our IPsec...)
> 
> > In your example, the failure in step 6 should cause backpropagation
> > (sorry!), by ICMP CANT_FRAG packets, of the MTU to the originator of the
> > excessively-large packet.  A good question to ask at this point is
> > how ICMP CANT_FRAG packets are needed to propagate the real path MTU to
> > the originating host.
> 
> The problem with SG1 returning a Packet Too Big message with MTU=1500 to H1
> is that H1 already sees the Path MTU as 1280 (which is the MTU for the
> tunnel).  H1 won't increase its PMTU in response to receiving a Packet Too
> Big message, but even if H1 did, it would then not be able to send the
> packets through the tunnel.

A good point, sorry I didn't catch it before.  I think there's an
ambiguity in the situation that is not addressed in either standard IP
PMTU discovery or the IPsec variant: I (perhaps alone) interpret the
behavior of H1 as being two distinct objects.

I see the existence of a packet originator within H1, constructing and
"sending" plaintext packets.  I see H1's IPsec subsystem as being almost
a logically separate colocated security gateway.  Using such a model,
the secured inner packet generator needs to be informed of the final MTU
(in your example, the 1500-byte MTU between SG1 and H2).

I think your example points out that ambiguity.  Note that the only I
can think of solving it would be to perform some sort of addressing
hack to distinguish the "internal elements" of H1.
-- 
Leonard Samuelson, Ascend Communications, Inc.   614-760-4024


References: