PMTU Discovery Security Concerns

Jason A. Donenfeld Jason at
Mon Apr 16 07:23:29 CEST 2018

On Sun, Apr 15, 2018 at 7:51 PM, Tim Sedlmeyer <tim at> wrote:
> - Which allowed-ip do you use?
> - If the allowed-ip is a network, which ip within it do you choose to ping?
> - If you are connected to a single peer with an allowed-ip of what
>   ip do you ping?

Yea, the actual IP discovery is a hurdle to figure out.

> The allowed-ip isn't guaranteed to be on the same device as the peer so,
> in the end you aren't measuring the mtu over the connection between peers
> but the complete path to that allowed-ip which could involve more devices and
> connections with smaller MTUs than between the peers themselves.

That's probably fine and even desirable, since we're looking for the
PMTU along a certain route.

> See RFC4821, RFC8085 and
> for more info about PLMTUD.
> has a quick overview of where IPsec stands with implementing it.

Thanks for these. I followed the rabbit hole, and found [1], which
seems to be the current latest and greatest from the IPsec people.
It's probes inside the control plane. Reading the references, such as
[2], it seems pretty unanimous that going anywhere near out-of-tunnel
ICMP messages is a disaster, as I suggested in the original post here.
That's useful confirmation, and I guess we'll indeed have to look at
creative non-ICMP solutions for PMTUD to happen.


More information about the WireGuard mailing list