Re: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification

Fri, 04 Aug 2023 11:39:17 -0700 


Michael Richardson <mcr+i...@sandelman.ca> writes:


[[PGP Signed Part:Signature made by expired key 808B70FBDDD0DD65 Michael Richardson 
<mcr+key2...@sandelman.ca>]]

Paul Wouters <paul.wout...@aiven.io> wrote:
    >> > Or use IPTFS and set your own max packet size sufficiently low?
    >>
    >> I think that this is the killer app for IPTFS.
    >>

    > But of course this means either IPTFS should be able to auto-tune this,
    > or else we end up with hardcoded configs that might stop working or
    > cause future problems.

I think that the ESPping mechanism is the right way to do "PLPMTUD" for IPTFS.
(for the outer MTU)


This is only the case for running IPTFS in the "secure mode" (i.e., sending at 
fixed intervals); however, we did put a bit in the congestion control header specifically 
to support PLPMTUD -- the P-bit:

https://datatracker.ietf.org/doc/html/rfc9347#section-6.1.2

:)

For demand sent IPTFS, something like and ESPping would probably be the way to 
go.

Thanks,
Chris.



    >> > I'm not convinced doing this between IPsec peers will solve any real
    >> > use cases.
    >>
    >> I am also skeptical, but I don't object to the work getting
    >> standardized.
    >>
    >> In particular, for networks where there are MTU constraints on the far
    >> side of the far gateway, telling the sending gateway about the MTU has
    >> a far higher chance of working than anything else.  The sending
    >> gateway probably can send PTB ICMPs with better results.

    > There would need to be dynamic updating, kernel <-> userland
    > communications, etc.  Just hardcoding this in an ikev2 configuration
    > would be pretty bad.

yeah, I don't know exactly how to do the userland communication.
How specific does it need to be is my question?  How express that.
Looking at mtu-dect, I'm unclear how the LMAP and and PTB describe the flow
which has the MTU concern.  It's mostly clear when it appears along with TSx
that it applies to that traffic, but not for the other notifications.

Attachment: signature.asc
Description: PGP signature

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to