"Eric Vyncke (evyncke)" <evyn...@cisco.com> writes:
Chris, The -17 version indeed addresses one of the 4 DISCUSS points, namely the hop limit vs. TTL. Thank you for this. I am far from being convinced that the added text about ICMP handling is rock solid though. While I cannot point a specific issue, I fear that aggregating and fragmenting inner packets and receiving one ICMP on the outer packet is not so trivial and some actual guidance based on actual testing would be welcome. This is 'unknown territory' AFAIK (no other aggr/frag tunnels over IP were specified/deployed before) and for a 'standards track' I-D, we need more guidance.
There's nothing too scary here. - inner packet ICMP is completely independent of the IPsec tunnel, its just more inner traffic. - outer packet ICMP is addressing the same singular ESP packets it always has. It is related to things like the size of the outer packet (PMTU) or the destination of the outer packet, etc. This is unaffected by what is encapsulated inside the ESP packet. Thus it is enough to refer back to RFC4301 here -- it really does cover all the cases. FWIW when one is implementing IP-TFS all the ICMP receive mechanics have already occurred prior to you being handed your AGGFRAG payload to act on. Thanks, Chris.
The DISCUSS on the next header still holds of course. As I suggested, either
update RFC 4303/8200 or request an IP protocol number.
Regards
-éric
On 24/08/2022, 18:49, "iesg on behalf of Christian Hopps" <iesg-boun...@ietf.org
on behalf of cho...@chopps.org> wrote:
Éric Vyncke via Datatracker <nore...@ietf.org> writes:
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> ## DISCUSS
>
> ### Section 2.2.6
>
> Please also mention hop-limit and RFC 8200.
>
> ### Absence of ICMP considerations
>
> Should there be an equivalent of section 6 of RFC 4301 about ICMP ? As
several
> unprotected packets can be bundled together, some guidance to the
implementers
> will be welcome.
The section has been modified to address these concerns:
*** IPv4 Time-To-Live (TTL), IPv6 Hop Limit, and Tunnel errors
[[RFC4301]] specifies how to modify the inner packet IPv4 TTL [[RFC0791]]
or
IPv6 Hop Limit [[RFC8200]].
Any errors (e.g., ICMP errors) are handled the same as with
non-AGGFRAG IPsec tunnels. This applies to both the outer traffic as
well as the inner traffic prior to it entering the tunnel, see
[[RFC4301]].
I believe this should cover the rest of the items left in this DISCUSS
ballot.
Thanks,
Chris.
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
