PMTU Discovery Security Concerns
Jason A. Donenfeld
Jason at zx2c4.com
Mon Apr 16 07:23:29 CEST 2018
On Sun, Apr 15, 2018 at 7:51 PM, Tim Sedlmeyer <tim at sedlmeyer.org> wrote:
> - Which allowed-ip do you use?
> - If the allowed-ip is a network, which ip within it do you choose to ping?
> - If you are connected to a single peer with an allowed-ip of 0.0.0.0/0 what
> ip do you ping?
Yea, the actual IP discovery is a hurdle to figure out.
> The allowed-ip isn't guaranteed to be on the same device as the peer so,
> in the end you aren't measuring the mtu over the connection between peers
> but the complete path to that allowed-ip which could involve more devices and
> connections with smaller MTUs than between the peers themselves.
That's probably fine and even desirable, since we're looking for the
PMTU along a certain route.
> See RFC4821, RFC8085 and
> for more info about PLMTUD.
> has a quick overview of where IPsec stands with implementing it.
Thanks for these. I followed the rabbit hole, and found , which
seems to be the current latest and greatest from the IPsec people.
It's probes inside the control plane. Reading the references, such as
, it seems pretty unanimous that going anywhere near out-of-tunnel
ICMP messages is a disaster, as I suggested in the original post here.
That's useful confirmation, and I guess we'll indeed have to look at
creative non-ICMP solutions for PMTUD to happen.
More information about the WireGuard