[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [pmtud] updated: Agenda for PMTUD at IETF 60 in San Deigo

To: Michael Richardson <mcr at sandelman.ottawa.on.ca>
Subject: Re: [pmtud] updated: Agenda for PMTUD at IETF 60 in San Deigo
From: Matt Mathis <mathis at psc.edu>
Date: Wed, 4 Aug 2004 02:56:42 -0400 (EDT)
Cc: Path MTU Discovery WG <pmtud at ietf.org>
In-reply-to: <26036.1091571506@marajade.sandelman.ottawa.on.ca>
List-archive: <http://www1.ietf.org/pipermail/pmtud>
List-help: <mailto:pmtud-request@ietf.org?subject=help>
List-id: Path Maximum Transmission Unit Discovery <pmtud.ietf.org>
List-post: <mailto:pmtud@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/pmtud>, <mailto:pmtud-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/pmtud>, <mailto:pmtud-request@ietf.org?subject=unsubscribe>
References: <E54AAB4D2F928C2F5B5DE7D2@DCFF15AFC1F6764BA3927E50> <410AE0B2.6070502@iprg.nokia.com> <Pine.LNX.4.60.0408011037230.3335@zippy.psc.edu> <410E9C01.40503@iprg.nokia.com> <Pine.LNX.4.60.0408021613590.2286@zippy.psc.edu> <26036.1091571506@marajade.sandelman.ottawa.on.ca>
Sender: pmtud-bounces at ietf.org

On Tue, 3 Aug 2004, Michael Richardson wrote:

"Matt" == Matt Mathis <mathis at psc.edu> writes:

   >> Indeed, at least one major OS always sets the 'id' field to '0'
   >> when sending IPv4 packets with the 'DF' bit set.

   Matt> This punishes devices that ignore DF.  Does anybody have any
   Matt> experience with this?  I would really like to hear more about
   Matt> it....

 Well, in the case of IPsec on Linux ignoring the DF bit, there is
no punishment. We presently "ignore" the DF bit by not copying it to
the IP/ESP headers. A new ID gets allocated for the ESP packet, which
may get fragmented.
 (We *DO* send ICMPs as well)

Let me make sure that I understand: in this case IPsec is applied first, before fragmentation, and the packet has to be reassembled before the decapsulater can decrypt/check the sig. So the outer fragmentation is *only* between the tunnel endpoints and is protected by more than 16 bits of checksum. This seems to me to be ok, except that it is not portable to IPv6. (This is ok because the fragmentation is totally hidden from the end system, and protected from missassociation by much more than 16 bits.)

The "punishment" I was referring to is this: if you always set the IP ID to zero on non-fragmented packets with DF, then anybody who illegally fragments is sure cause massive corrupted data, and will be rightly blamed for it. John Heffner told me that this was done for some Linux releases but was backed out because it breaks ppp header compression that assumes that the IP ID always advances by small positive integers.

Note that this would not hurt your approach either.

 We will likely implement draft-richardson-ipsec-fragment-* within the
next month or two, depending upon resources.

If you can suggest any ways to put more of ideas from your draft into section 5.5.3, that would be great.

Thanks,
--MM--
-------------------------------------------
Matt Mathis      http://www.psc.edu/~mathis
Work:412.268.3319    Home/Cell:412.654.7529
-------------------------------------------
"My heart is in the work." -- Andrew Carnegie

_______________________________________________
pmtud mailing list
pmtud at ietf.org
https://www1.ietf.org/mailman/listinfo/pmtud

Follow-Ups:
- Re: [pmtud] updated: Agenda for PMTUD at IETF 60 in San Deigo
  - From: Michael Richardson

References:
- [pmtud] updated: Agenda for PMTUD at IETF 60 in San Deigo
  - From: Matthew J Zekauskas
- Re: [pmtud] updated: Agenda for PMTUD at IETF 60 in San Deigo
  - From: Fred Templin
- Re: [pmtud] updated: Agenda for PMTUD at IETF 60 in San Deigo
  - From: Matt Mathis
- Re: [pmtud] updated: Agenda for PMTUD at IETF 60 in San Deigo
  - From: Fred L. Templin
- Re: [pmtud] updated: Agenda for PMTUD at IETF 60 in San Deigo
  - From: Matt Mathis
- Re: [pmtud] updated: Agenda for PMTUD at IETF 60 in San Deigo
  - From: Michael Richardson

Prev by Date: [pmtud] path MTU discovery and congestion control
Next by Date: Re: [pmtud] updated: Agenda for PMTUD at IETF 60 in San Deigo
Previous by thread: Re: [pmtud] updated: Agenda for PMTUD at IETF 60 in San Deigo
Next by thread: Re: [pmtud] updated: Agenda for PMTUD at IETF 60 in San Deigo
Index(es):
- Date
- Thread