Re: [IPsec] PLMTUD probes for IPsec

On Thu, May 10, 2018 at 10:21 PM, Paul Wouters wrote: > On Thu, 10 May 2018, Shibu wrote: > > PMTUD over IKE is needed anyways for large IKE cert payloads >> > > I don't agree. We can handle these with fragmentation now just fine. > > IKE Fragmentation internally utilize an MTU value - either

Re: [IPsec] PLMTUD probes for IPsec

On Thu, 10 May 2018, Shibu wrote: PMTUD over IKE is needed anyways for large IKE cert payloads I don't agree. We can handle these with fragmentation now just fine. However, one caveat with above approach is that there is an implicit assumption that paths for control and data traffic  are

Re: [IPsec] PLMTUD probes for IPsec

Shibu wrote: > PMTUD over IKE is needed anyways for large IKE cert payloads, so if we do > PMTUD over IKE, we could depend upon the same discovered MTU value for ESP > paths as well as a guidance value. This seems to work for most of the > cases, and there

Re: [IPsec] PLMTUD probes for IPsec

Shibu writes: > With SDWAN use cases (wherein paths could be orchestrated based on proto, > port, QoS, App ID etc), would it be a precise  assumption to make? How would > we handle these cases when the paths are build for ESP and IKE differently? If the ESP and IKEv2 packates do not follow the

Re: [IPsec] PLMTUD probes for IPsec

Hello Tero and all, We discussed internally among the authors and it looks there exist 3 choices - to do PMTUD over IKE, or ESP or both. (Many reviewers have already pointed out these at various stages, just collating them here). PMTUD over IKE is needed anyways for large IKE cert payloads, so

Re: [IPsec] PLMTUD probes for IPsec

On Fri, 13 Apr 2018, Tero Kivinen wrote: Paul Wouters writes: Using IKE also has a disandvantage for for those implementations that only support a window size of one. If those IKE messages are lost - which is highly likely because we are trying out larger window sizes until we find something

Re: [IPsec] PLMTUD probes for IPsec

Paul Wouters writes: > Using IKE also has a disandvantage for for those implementations that > only support a window size of one. If those IKE messages are lost - > which is highly likely because we are trying out larger window sizes > until we find something that works - things get tricky (even

Re: [IPsec] PLMTUD probes for IPsec

Ron Bonica writes: > In 99.9% of cases you are probably correct. If there is an ECMP > between the encrypting node and the decrypting node, all ECMPs have > the same PMTU. Is it 99.9%, or 99.%? > And because this is true in such a vast majority of cases, none of > us have seen a situation

Re: [IPsec] PLMTUD probes for IPsec

Ron Bonica writes: > Hi Valery, > > I am thinking like this... > > - If we do nothing, tunnel performance is acceptable but > suboptimal. We can prevent blackholing by statically configuring > the tunnel MTU to a sufficiently low value. However, we cannot > take advantage of tunnels

Re: [IPsec] PLMTUD probes for IPsec

On Wed, 11 Apr 2018, Ron Bonica wrote: - If we do nothing, tunnel performance is acceptable but suboptimal. We can prevent blackholing by statically configuring the tunnel MTU to a sufficiently low value. However, we cannot take advantage of tunnels with larger PMTUs. - If we use IKE to

Re: [IPsec] PLMTUD probes for IPsec

>Ron > > > > -Original Message- > > From: Valery Smyslov <smyslov.i...@gmail.com> > > Sent: Tuesday, April 10, 2018 2:57 AM > > To: Ron Bonica <rbon...@juniper.net>; 'Michael Richardson'

Re: [IPsec] PLMTUD probes for IPsec

m> > Sent: Tuesday, April 10, 2018 2:57 AM > To: Ron Bonica <rbon...@juniper.net>; 'Michael Richardson' > <mcr+i...@sandelman.ca> > Cc: ipsec@ietf.org > Subject: RE: [IPsec] PLMTUD probes for IPsec > > Hi Ron, > > > Both good points. So, it appears that

Re: [IPsec] PLMTUD probes for IPsec

Valery Smyslov writes: > > Both good points. So, it appears that we have the following choices: > > > > - leverage IKE for exchanging probes and acks (But risk sending probes and > > acks over a different path than > > encrypted data) > > - send probes and acks in-band. Try UDP probes first. If

Re: [IPsec] PLMTUD probes for IPsec

From: Valery Smyslov <smyslov.i...@gmail.com> > > Sent: Friday, April 6, 2018 3:24 AM > > To: Ron Bonica <rbon...@juniper.net>; 'Michael Richardson' > > <mcr+i...@sandelman.ca> > > Cc: ipsec@ietf.org > > Subject: RE: [IPsec] PLMTUD probes for IPsec >

Re: [IPsec] PLMTUD probes for IPsec

> > -Original Message- > > From: Michael Richardson <mcr+i...@sandelman.ca> > > Sent: Thursday, April 5, 2018 11:09 AM > > To: Valery Smyslov <smyslov.i...@gmail.com> > > Cc: ipsec@ietf.org; Ron Bonica <rbon...@juniper.net> > > Subject:

Re: [IPsec] PLMTUD probes for IPsec

rbon...@juniper.net> > Subject: Re: [IPsec] PLMTUD probes for IPsec > > > Valery Smyslov <smyslov.i...@gmail.com> wrote: > >> > Dynamic IPsec PMTU PLPMTUD - Shibu Piriyath, Ron Bonica > >> > https://datatracker.ietf.org/meeting/101/material

Re: [IPsec] PLMTUD probes for IPsec

Valery Smyslov wrote: >> > Dynamic IPsec PMTU PLPMTUD - Shibu Piriyath, Ron Bonica >> > https://datatracker.ietf.org/meeting/101/materials/slides-101-ipsecme-packetization-layer-path-mtu- >> discovery-01 >> >> > Problem: IPsec Tunnel has an PMTU as

Re: [IPsec] PLMTUD probes for IPsec

Hi Paul, > > Why IKE messages cannot be used for this purpose? > > IKE messages might not take the same path, eg ESP goes through hardware > offload or other things, or intermediary routers might have different > rules for UDP vs ESP. True, unless UDP encapsulation is used... Regards, Valery.

Re: [IPsec] PLMTUD probes for IPsec

On Thu, 5 Apr 2018, Valery Smyslov wrote: Why IKE messages cannot be used for this purpose? IKE messages might not take the same path, eg ESP goes through hardware offload or other things, or intermediary routers might have different rules for UDP vs ESP. Paul

Re: [IPsec] PLMTUD probes for IPsec

Hi Michael, > > Dynamic IPsec PMTU PLPMTUD - Shibu Piriyath, Ron Bonica > > > https://datatracker.ietf.org/meeting/101/materials/slides-101-ipsecme-packetization-layer-path-mtu- > discovery-01 > > > Problem: IPsec Tunnel has an PMTU as any other tunnel. > > Solution in Transport