2401bis Issue # 78 -- PMTU issues

[Karen Seo <kseo@bbn.com>]

Folks,

Here's a description and proposed approach for:

IPsec Issue #:	78

Title:		PMTU issues

Description:
============
In addition to the issue of how to handle ICMP error messages in 
general, there is the specific question of is there some way that 
systems can do Path MTU discovery other than by relying on ICMP error 
messages (PMTUs) from untrusted sources?  Note that we are much more 
concerned about ICMP messages arriving w/o IPsec protection from the 
public Internet vs. such messages arriving from a router "behind" an 
SG.

Proposed approach:
==================
1. Add controls to allow an administrator to configure the IPsec 
system to set a threshold for the minimum size to which the PTMU can 
be set via processing an ICMP PMTU from a public Internet source. The 
default is that the ciphertext size would be 576 bytes (IPv4) or 1280 
(IPv6). These values are likely to be sufficient in almost all cases; 
and one might adopt the Ethernet MTU of 1500 bytes for IPv4 and IPv6.

2. Develop a red side PMTU discovery protocol, for tunnels, to avoid 
the PMTU attack problem, and switch to red side fragmentation 
(fragmenting before IPsec is applied but allowing for IPsec headers), 
vs. black side fragmentation, to minimize the DoS problems for 
receivers. If we put this mechanism into IPsec, each peer can 
determine whether the peer at the other end of an SA supports this 
capability (via IKE) and the SA can provide the protected path. There 
is another working group working on this problem -- see PMTUD WG, 
email pmtud@ietf.org.  We propose to put this task on hold until 
they're finished.


Thank you,
Karen