idnits 2.17.1 draft-richardson-ipsec-fragment-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.5 on line 200. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 184. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 190. ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line 206), which is fine, but *also* found old RFC 2026, Section 10.4C, paragraph 1 text on line 36. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement -- however, there's a paragraph with a matching beginning. Boilerplate error? ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document seems to lack an RFC 3979 Section 5, para. 1 IPR Disclosure Acknowledgement -- however, there's a paragraph with a matching beginning. Boilerplate error? Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 17, 2004) is 7216 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 8 errors (**), 0 flaws (~~), 2 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Independent submission M. Richardson 3 Internet-Draft SSW 4 Expires: January 15, 2005 July 17, 2004 6 An interim solution to the Path MTU discovery problem for IPsec 7 gateways 8 draft-richardson-ipsec-fragment-01.txt 10 Status of this Memo 12 By submitting this Internet-Draft, I certify that any applicable 13 patent or other IPR claims of which I am aware have been disclosed, 14 and any of which I become aware will be disclosed, in accordance with 15 RFC 3667. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that other 19 groups may also distribute working documents as Internet-Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at http:// 27 www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on January 15, 2005. 34 Copyright Notice 36 Copyright (C) The Internet Society (2004). All Rights Reserved. 38 Abstract 40 Path MTU discovery depends upon proper respect for the Don't Fragment 41 (DF) bit. IPsec gateways often present an Maximum Transmission Unit 42 (MTU) constraint, and therefore must send ICMP Fragment Needed 43 messages when the DF bit is set. This document proposes to ignore it 44 in certain cases. 46 Table of Contents 48 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 49 2. Heuristic . . . . . . . . . . . . . . . . . . . . . . . . . . 4 50 2.1 Step 0 - selection . . . . . . . . . . . . . . . . . . . . . . 4 51 2.2 Step 1 - tracking . . . . . . . . . . . . . . . . . . . . . . 4 52 2.3 Step 2 - size check . . . . . . . . . . . . . . . . . . . . . 4 53 2.4 Step 3 - error throttling . . . . . . . . . . . . . . . . . . 4 54 2.5 Step 4 - send . . . . . . . . . . . . . . . . . . . . . . . . 4 55 3. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 56 Normative references . . . . . . . . . . . . . . . . . . . . . 6 57 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 6 58 Intellectual Property and Copyright Statements . . . . . . . . 7 60 1. Introduction 62 Path MTU discovery [1] depends upon proper respect for the Don't 63 Fragment (DF) bit. IPsec gateways often present an Maximum 64 Transmission Unit (MTU) constraint, and therefore must send ICMP 65 Fragment Needed messages when the DF bit is set. 67 At the same time, increasing numbers of firewalls and networks are 68 misconfigured, and drop all ICMP messages. For road-warriors that 69 operate on an extruded IP address (i.e. one from behind their 70 security gateway, and route all traffic through the corporate 71 firewall), they find that they can not reach certain sites. When full 72 size datagrams arrive at the VPN gateway with the DF bit set (such as 73 from a web server's response), they are too big to enter the tunnel. 74 An ICMP is sent (rate limited) and the oversize datagram is 75 discarded. The ICMP is filtered out, and the sender never reduces its 76 segment size. The result is that the web site stalls. Ironically, 77 this occurs more often for more efficient web servers, as they tend 78 to fill the datagram more regularly. 80 Although the site in question is misconfigured, the IPsec system is 81 blamed, since the site "works fine" when the IPsec tunnel is removed. 82 The result is that many IPsec security gateway vendors are resorting 83 to ignoring the DF bit, and fragmenting the datagram anyway (either 84 before encapsulation, or fragmenting the resulting ESP packet). 86 To complicate the situation, the PMTUD WG, has recognized the 87 proliferation of missconfigured systems wrt ICMP, and is proposing a 88 new method of determining the MTU. The new method does not rely on 89 ICMPs, but rather on the non-delivery of occasional larger probes. 90 The only requirement that the new method places on lower layers is 91 that they reliably discard probes that are larger than the path MTU. 92 With this new method, devices that do not honor the DF bit are at 93 risk of invoking needless fragmentation. 95 Further, for high speed networks, that employ larger TCP windows, the 96 result of the fragmentation can cause TCP segments to become 97 corrupted. {ref please} 99 This document proposes a heuristic for IPsec security gateways to 100 observe such that they will interop with the both the current PMTU 101 methods (given that ICMP is broken) and new mechanisms. 103 2. Heuristic 105 Summary: If the system is keeping per flow state, preferentially 106 error packets that suddenly reach a new high-water mark for each 107 particular flow, because they arelikely to be probes, or classic 108 PMTUD. 110 For systems that have per-flow [Host to Host] (Ed. per-microflow - 111 5-tuple?) tracking, step 1 is included. Otherwise, it is skipped. 113 2.1 Step 0 - selection 115 Is the datagram is too big for the tunnel, and has the DF bit set? If 116 not, encapsulate as normal. 118 2.2 Step 1 - tracking 120 Keep track of the largest datagram size received. When there is a new 121 high water mark, do standard ICMP Need Fragment processing. If this 122 is the first time the datagram was too big, then goto step 4. If not, 123 then drop datagram. 125 2.3 Step 2 - size check 127 Is the amount that the packet is too big exactly due to the tunnel 128 overhead? (In particular, this would never apply when the media on 129 both sides is dissimilar). If not, do standard ICMP processing, and 130 drop the datagram. 132 2.4 Step 3 - error throttling 134 Does error rate limiting permit an ICMP error message be sent at this 135 time? (rate limited to about 1 packet per second) If so, then do 136 standard ICMP Need Fragment processing, and drop the datagram. 138 2.5 Step 4 - send 140 Fragment the datagram prior to encapsulation. Divide the datagram 141 into two equal pieces and encapsulate each one seperately. No attempt 142 to send an ICMP is made. 144 3. Example 146 A 1500 packet to which a 20 byte IP and 28 byte ESP header is added, 147 trying to fit on a 1500 byte network is fragmented anyway. 149 A 9000 byte packet with a 20 byte IP and 28 byte ESP header trying to 150 fit on a 1500 byte network is dropped. 152 Normative references 154 [1] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 155 November 1990. 157 Author's Address 159 Michael C. Richardson 160 Sandelman Software Works 161 470 Dawson Avenue 162 Ottawa, ON K1Z 5V7 163 CA 165 EMail: mcr@sandelman.ottawa.on.ca 166 URI: http://www.sandelman.ottawa.on.ca/ 168 Intellectual Property Statement 170 The IETF takes no position regarding the validity or scope of any 171 Intellectual Property Rights or other rights that might be claimed to 172 pertain to the implementation or use of the technology described in 173 this document or the extent to which any license under such rights 174 might or might not be available; nor does it represent that it has 175 made any independent effort to identify any such rights. Information 176 on the IETF's procedures with respect to rights in IETF Documents can 177 be found in BCP 78 and BCP 79. 179 Copies of IPR disclosures made to the IETF Secretariat and any 180 assurances of licenses to be made available, or the result of an 181 attempt made to obtain a general license or permission for the use of 182 such proprietary rights by implementers or users of this 183 specification can be obtained from the IETF on-line IPR repository at 184 http://www.ietf.org/ipr. 186 The IETF invites any interested party to bring to its attention any 187 copyrights, patents or patent applications, or other proprietary 188 rights that may cover technology that may be required to implement 189 this standard. Please address the information to the IETF at 190 ietf-ipr@ietf.org. 192 Disclaimer of Validity 194 This document and the information contained herein are provided on an 195 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 196 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 197 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 198 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 199 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 200 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 202 Copyright Statement 204 Copyright (C) The Internet Society (2004). This document is subject 205 to the rights, licenses and restrictions contained in BCP 78, and 206 except as set forth therein, the authors retain all their rights. 208 Acknowledgment 210 Funding for the RFC Editor function is currently provided by the 211 Internet Society.