[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] Seeking IPsec input on PMTUD draft

To: ipsec@ietf.org
Subject: [Ipsec] Seeking IPsec input on PMTUD draft
From: Matt Mathis <mathis@psc.edu>
Date: Tue, 20 Jul 2004 15:28:47 -0400 (EDT)
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-bounces@ietf.org

The soon to appear draft-ietf-pmtud-method-02.txt, contains the 4 rather 
pointed paragraphs attached below.  I would really appreciate some input from 
this community: is our proposal sufficient to solve the "tunnel MTU" problem? 
If not, what do we need?  What situation fail (besides ignoring DF)?

I was planning to ask for a short presentation slot in IPsec, but it seems that 
there is not a meeting scheduled.   Should this be mentioned at some other WG?

In any case pmtud is meeting Tuesday at 1415.   Your input is welcome.

(Before the ID editor catches up, the draft can be obtained from 
http://www.psc.edu/~mathis/draft/draft-ietf-pmtud-method-02.txt &.html)

Thanks,
--MM--

-------------------------------------------
Interoperation with tunnels

PLPMTUD is specifically designed to solve many of the problems that people are 
experiencing today due to poor interactions between classical MTU discovery, 
IPsec, and various sorts of tunnels <xref target="RFC2401"/>.  As long as the 
tunnel reliably discards packets that are too large, PLPMTUD will discover an 
appropriate MTU for the path.

Unfortunately due to the pervasive problems with classical PMTU discovery, many 
manufacturers of various types of VPN/tunneling equipment have resorted to 
ignoring the DF bit.  This not only violates the IP standard and many 
recommendations to the contrary <xref target="sigcomm-frag-harmful"/> <xref 
target="I-D.mathis-frag-harmful"/>, it also violates the only requirement that 
PLPMTUD places on the link layer: that oversized packets are reliably 
discarded.  It is imperative that people understand the impact of ignoring the 
DF bit both to applications and to PLPMTUD.

We do understand the reality of the situation.  It is important that vendors 
who are building devices the violate the DF specification understand that 
PLPMTUD requires that probe packets be discarded, and that sending ICMP packet 
too big messages alone is insufficient to prevent wholesale fragmentation if 
the probe packets are delivered.

Therefore, it is imperative that devices that do not honor DF include packet 
size history caches and other heuristics to robustly detect and discard probe 
packets, if delivering them would require fragmentation.
-------------------------------------------
Matt Mathis      http://www.psc.edu/~mathis
Work:412.268.3319    Home/Cell:412.654.7529
-------------------------------------------

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Prev by Date: RE: [Ipsec] Proposed changes to IKEv2 based on IESG comments
Next by Date: [Ipsec] Re:
Previous by thread: Re: [Ipsec] a new draft
Next by thread: [Ipsec] Re:
Index(es):
- Date
- Thread