[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec and Fragmentation
Karen Heron writes:
> > Path MTU discovery is a required feature of any compliant IPsec
> > implementation. While PMTU discovery doesn't "fix the problem", it
> > permits originating hosts (be they secured or not) to deflate their MTUs
> > according to the actually observed MTU in the pathway.
>
> > We calculate an MTU by subtracting IPsec header/trailer expansion octets
> > from the known MTU of the path. (It was a "bug" in our implementation
> > until I was charged with implementing PMTU discovery in our IPsec...)
>
> > In your example, the failure in step 6 should cause backpropagation
> > (sorry!), by ICMP CANT_FRAG packets, of the MTU to the originator of the
> > excessively-large packet. A good question to ask at this point is
> > how ICMP CANT_FRAG packets are needed to propagate the real path MTU to
> > the originating host.
>
> The problem with SG1 returning a Packet Too Big message with MTU=1500 to H1
> is that H1 already sees the Path MTU as 1280 (which is the MTU for the
> tunnel). H1 won't increase its PMTU in response to receiving a Packet Too
> Big message, but even if H1 did, it would then not be able to send the
> packets through the tunnel.
A good point, sorry I didn't catch it before. I think there's an
ambiguity in the situation that is not addressed in either standard IP
PMTU discovery or the IPsec variant: I (perhaps alone) interpret the
behavior of H1 as being two distinct objects.
I see the existence of a packet originator within H1, constructing and
"sending" plaintext packets. I see H1's IPsec subsystem as being almost
a logically separate colocated security gateway. Using such a model,
the secured inner packet generator needs to be informed of the final MTU
(in your example, the 1500-byte MTU between SG1 and H2).
I think your example points out that ambiguity. Note that the only I
can think of solving it would be to perform some sort of addressing
hack to distinguish the "internal elements" of H1.
--
Leonard Samuelson, Ascend Communications, Inc. 614-760-4024
References: