[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fragmentation

To: ipsec@lists.tislabs.com
Subject: Re: fragmentation
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 12 Dec 2001 20:12:26 -0700
In-reply-to: Your message of "Thu, 13 Dec 2001 01:46:15 +0200." <Pine.LNX.4.10.10112130137570.2422-100000@localhost.localdomain>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Sami" == Sami Vaarala <sami.vaarala@netseal.com> writes:
    Sami> Since you can't rely on getting an icmp when your packet
    Sami> is too large, and you can't be certain that frags pass
    Sami> through routers, what is left?

  I have proposed to do PMTU for the tunnel itself by having the receiving
gateway observe the size of received fragments.  
  {It turns out on linux, that is has become trivial to do, since transport
protocols are now forced to linearize fragments themselves. This was done so
that TCP could avoid a copy, and actually causes lossage on the current
FreeSWAN release with 2.4.4+. On other non-BITS implementations, this would
require some additional booking to be provided in the mbuf header}

  Periodically and when it sees a number larger than it has seen before, it
would send an ICMP fragment needed *through* the tunnel, to the
originator. The source address could be forge as coming from the destination
of the packet. (This guarantees that the ICMP packet fits into the tunnel. If 
fails for per-protocol or per-port tunnels. I think that rfc2401bis will have 
to address this and make ICMP explicitely allowed for them)

  This fails if there is ICMP hole between the near gateway and the
originator. This is actually a very common occurance when one has an extruded 
host/subnet (i.e. the default route for the road warrior is through the
tunnel) since the "other side" is the entire Internet.

  This produces sub-optimal values if the fragmentation is done by dividing
in two. It does work however.

    Sami> An ordinary MTU discovery mechanism can be implemented
    Sami> on top of the encrypted ping.

    Sami> (Maybe this has already been suggested?)

  There are various blackhole discovery protocols that have been written
about. I don't have reference on them, sorry. The problem is usually that the 
stupid web-hosting company that you are trying to reach isn't clueful enough
to turn it on.
  
  Part of the problem is education - a NetBSD hacker is in the process of
setting up a web site on which one can register sites which seem to have PMTU 
on, but have ICMP off. 

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


  





-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPBgcmYqHRg3pndX9AQHQXgP/fmadl/+WtNIRE8aPaQgGaQ40AGSP8OUn
PFioyWZJ8yH5L9eE2zh20eMFITQw6GSGhddEiO8RiK20Li+UOvzN3zav6vocDdZg
eCdkLPLxRgHtUwD7JhEZmwVeISvR8xxDBfdt/e3KQvIIEXu2VLUdcQ8Sr9eAdbbb
pGGWfjJK8Oc=
=GKLu
-----END PGP SIGNATURE-----

Follow-Ups:

Re: fragmentation

From: Sami Vaarala <sami.vaarala@netseal.com>

Re: fragmentation

From: Sami Vaarala <sami.vaarala@netseal.com>

References:

fragmentation

From: Sami Vaarala <sami.vaarala@netseal.com>

Prev by Date: fragmentation
Next by Date: Re: suggestion for JFK
Prev by thread: fragmentation
Next by thread: Re: fragmentation
Index(es):
- Main
- Thread