PMTU Discovery Security Concerns
tim at sedlmeyer.org
Sun Apr 15 18:06:23 CEST 2018
PMTUD on the Internet is often broken and increasingly becoming more
broken, so in my opinion introducing any level of potential security
concern to support it would be unwise.
If MTU issues are regularly presenting a significant issue to
successful deployment of wireguard than in the short term I would
suggest doing what many ipsec implementations do, give up some
performance in order to increase the likelihood of successful
transmission by assigning a default MTU significantly small enough to
avoid issues in the vast majority of circumstances. For instance by
default the OS X ipsec vpn implementation assigns an MTU of 1280, the
minimum IPv6 datagram size, to the tunnel by default. Cisco assigns an
MTU of 1300 by default.
In the long term some form of packetization layer path mtu discovery
probably should be added to the wireguard protocol itself. Perhaps by
padding the first message of the handshake to utilize it as a mtu
On Sun, Apr 15, 2018 at 10:08 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Hi list,
> [CC'ing Luis, who's been working on this with me.]
> I've more or less figured out how to do PMTU discovery (something
> along the lines of https://xn--4db.cc/WFHQzX2o/c inspired by the vti
> driver). I wonder, however, if this is safe to do.
> The basic idea is that if you're talking to a WireGuard peer via its
> internal tunnel IP address, the kernel keeps some notion of what that
> internal IP address's PMTU is. Meanwhile, WireGuard itself is talking
> to that peer via its external endpoint IP address, and the kernel
> keeps some notion of what that external IP address's PMTU is. If the
> encrypted packets are larger than the external PMTU, well behaved
> networks will send ICMP messages, indicating that packets sent to that
> external endpoint IP should be smaller. This, however, doesn't have
> anything to do with what the user is trying to send internally, and so
> there will continue to be overly large packets sent.
> The way to fix it would be to relay the external endpoint PMTU to the
> internal tunnel PMTU. Then, when an external encrypted packet gets
> dropped due to being overly large, the ICMP message for that winds up
> affecting the internal tunneled IP address's PMTU, so that the next
> message it sends is smaller. All is well, packets flow, and TCP
> sessions no longer stall. This is generally how PMTU discovery works
> with network tunnels.
> The security problem is that those ICMP messages indicating we should
> send smaller packets are unauthenticated, since they're triggered by
> things external to the tunnel, rather than inside the tunnel. By
> propagating the information from those unauthenticated ICMP messages
> to state that concerns the inside of the tunnel, we're essentially
> enabling an unauthenticated state injection. This could enable some
> mischief. On the benign end of the spectrum, an attacker could launch
> a DoS attack by causing the sending end to use smaller and smaller
> packets. On the scarier end of the spectrum, an attacker could
> intelligently do this to change the size of packets and observe the
> way in which a data flow is rechunked, in order to infer something
> about the actual data being encrypted.
> These security concerns make me inclined to just simplistically
> declare, "PMTU discovery in tunnels can't be done securely with the
> existing Internet, so WireGuard doesn't support it." However,
> undoubtedly smart people have thought about this before, and perhaps
> they've come up with real solutions for this. Indeed I've come across
> various discussions of the matter in the IPsec RFCs. But at the
> present moment, I'm unsure what the most reasonable way forward is.
> So, I thought if anyone on the list has thought about this extensively
> before and would like to chime in with some wisdom, I'm all ears.
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
More information about the WireGuard