PMTU Discovery Security Concerns

Jason A. Donenfeld Jason at zx2c4.com
Mon Apr 16 07:23:29 CEST 2018


On Sun, Apr 15, 2018 at 7:51 PM, Tim Sedlmeyer <tim at sedlmeyer.org> wrote:
> - Which allowed-ip do you use?
> - If the allowed-ip is a network, which ip within it do you choose to ping?
> - If you are connected to a single peer with an allowed-ip of 0.0.0.0/0 what
>   ip do you ping?

Yea, the actual IP discovery is a hurdle to figure out.

> The allowed-ip isn't guaranteed to be on the same device as the peer so,
> in the end you aren't measuring the mtu over the connection between peers
> but the complete path to that allowed-ip which could involve more devices and
> connections with smaller MTUs than between the peers themselves.

That's probably fine and even desirable, since we're looking for the
PMTU along a certain route.

> See RFC4821, RFC8085 and
> https://tools.ietf.org/html/draft-ietf-tsvwg-datagram-plpmtud-01
> for more info about PLMTUD.
>
> https://datatracker.ietf.org/meeting/101/materials/slides-101-ipsecme-packetization-layer-path-mtu-discovery-01
> has a quick overview of where IPsec stands with implementing it.

Thanks for these. I followed the rabbit hole, and found [1], which
seems to be the current latest and greatest from the IPsec people.
It's probes inside the control plane. Reading the references, such as
[2], it seems pretty unanimous that going anywhere near out-of-tunnel
ICMP messages is a disaster, as I suggested in the original post here.
That's useful confirmation, and I guess we'll indeed have to look at
creative non-ICMP solutions for PMTUD to happen.

[1] https://tools.ietf.org/html/draft-spiriyath-ipsecme-dynamic-ipsec-pmtu-01.html
[2] https://tools.ietf.org/html/draft-roca-ipsecme-ptb-pts-attack-00


More information about the WireGuard mailing list