[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue # 78 -- PMTU issues

To: ipsec mailingList <ipsec@lists.tislabs.com>, pmtud@ietf.org
Subject: Re: 2401bis Issue # 78 -- PMTU issues
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 14 Nov 2003 15:43:29 -0500
In-reply-to: Your message of "Fri, 26 Sep 2003 23:04:35 EDT." <p05200f27bb9aac2f6932@[128.89.89.115]>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


{I'm sorry to reply to such an old message}

>>>>> "Karen" == Karen Seo <kseo@bbn.com> writes:
    Karen> IPsec Issue #:	78

    Karen> Title:		PMTU issues

    Karen> 1. Add controls to allow an administrator to configure the IPsec 
    Karen> system to set a threshold for the minimum size to which the PTMU
    Karen> can be set via processing an ICMP PMTU from a public Internet
    Karen> source. The default is that the ciphertext size would be 576 bytes
    Karen> (IPv4) or 1280 (IPv6). 

  So, assuming that the administrator knows what the minimum ought to be,
they could just force the MTU of the tunnel to be that value. I note that
we don't really have any control like that at this time.

  I think that we do need some kind of protocol for determining what the
MTU of the outside of the tunnel is going to be. For IPv4, clearing the DF
bit might be as good a solution. 

  For IPv6, that won't be possible, and it isn't clear whether or not ICMPv6
will be subject to the same misconfiguration as for IPv4. (some say not)

  A very simple code-saving *hack* that I can think of is to have the
sender's kernel initiate a TCP connection in each SA to the discard service
on the remote end. Then, just send probe packets and note what MTU is
calculated. This won't work for dozens of reasons... any other protocol
created will essentially duplicate the TCP MTU probing code anyway, so...?

] Collecting stories about my dad: http://www.sandelman.ca/cjr/ |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [

  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBP7U+cIqHRg3pndX9AQFeBAP/cBqX+j3DXKT++ETWQ8DFph8T7wcawhsS
EddzrLart6cjmesMWK5Wc7Ayv65tt6dHO58TLYVmFdA6dgxPnpQVGnwIuc7dzaAu
pRZXVBe4AIKAafO5/MDY5BMe5zRqBDcqBUghg6/7jfFo1RhXp2m3l2ttMnBljS6T
+KUFu6uO6Og=
=PMeN
-----END PGP SIGNATURE-----

Prev by Date: encapsulation PMTU-friendly proposal
Next by Date: New traffic Selectors in RFC2401bis
Previous by thread: encapsulation PMTU-friendly proposal
Next by thread: New traffic Selectors in RFC2401bis
Index(es):
- Date
- Thread