[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] Seeking IPsec input on PMTUD draft
The soon to appear draft-ietf-pmtud-method-02.txt, contains the 4 rather
pointed paragraphs attached below. I would really appreciate some input from
this community: is our proposal sufficient to solve the "tunnel MTU" problem?
If not, what do we need? What situation fail (besides ignoring DF)?
I was planning to ask for a short presentation slot in IPsec, but it seems that
there is not a meeting scheduled. Should this be mentioned at some other WG?
In any case pmtud is meeting Tuesday at 1415. Your input is welcome.
(Before the ID editor catches up, the draft can be obtained from
http://www.psc.edu/~mathis/draft/draft-ietf-pmtud-method-02.txt &.html)
Thanks,
--MM--
-------------------------------------------
Interoperation with tunnels
PLPMTUD is specifically designed to solve many of the problems that people are
experiencing today due to poor interactions between classical MTU discovery,
IPsec, and various sorts of tunnels <xref target="RFC2401"/>. As long as the
tunnel reliably discards packets that are too large, PLPMTUD will discover an
appropriate MTU for the path.
Unfortunately due to the pervasive problems with classical PMTU discovery, many
manufacturers of various types of VPN/tunneling equipment have resorted to
ignoring the DF bit. This not only violates the IP standard and many
recommendations to the contrary <xref target="sigcomm-frag-harmful"/> <xref
target="I-D.mathis-frag-harmful"/>, it also violates the only requirement that
PLPMTUD places on the link layer: that oversized packets are reliably
discarded. It is imperative that people understand the impact of ignoring the
DF bit both to applications and to PLPMTUD.
We do understand the reality of the situation. It is important that vendors
who are building devices the violate the DF specification understand that
PLPMTUD requires that probe packets be discarded, and that sending ICMP packet
too big messages alone is insufficient to prevent wholesale fragmentation if
the probe packets are delivered.
Therefore, it is imperative that devices that do not honor DF include packet
size history caches and other heuristics to robustly detect and discard probe
packets, if delivering them would require fragmentation.
-------------------------------------------
Matt Mathis http://www.psc.edu/~mathis
Work:412.268.3319 Home/Cell:412.654.7529
-------------------------------------------
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec