PMTU Discovery Security Concerns
Jason A. Donenfeld
Jason at zx2c4.com
Mon Apr 16 07:23:29 CEST 2018
On Sun, Apr 15, 2018 at 7:51 PM, Tim Sedlmeyer <tim at sedlmeyer.org> wrote:
> - Which allowed-ip do you use?
> - If the allowed-ip is a network, which ip within it do you choose to ping?
> - If you are connected to a single peer with an allowed-ip of 0.0.0.0/0 what
> ip do you ping?
Yea, the actual IP discovery is a hurdle to figure out.
> The allowed-ip isn't guaranteed to be on the same device as the peer so,
> in the end you aren't measuring the mtu over the connection between peers
> but the complete path to that allowed-ip which could involve more devices and
> connections with smaller MTUs than between the peers themselves.
That's probably fine and even desirable, since we're looking for the
PMTU along a certain route.
> See RFC4821, RFC8085 and
> https://tools.ietf.org/html/draft-ietf-tsvwg-datagram-plpmtud-01
> for more info about PLMTUD.
>
> https://datatracker.ietf.org/meeting/101/materials/slides-101-ipsecme-packetization-layer-path-mtu-discovery-01
> has a quick overview of where IPsec stands with implementing it.
Thanks for these. I followed the rabbit hole, and found [1], which
seems to be the current latest and greatest from the IPsec people.
It's probes inside the control plane. Reading the references, such as
[2], it seems pretty unanimous that going anywhere near out-of-tunnel
ICMP messages is a disaster, as I suggested in the original post here.
That's useful confirmation, and I guess we'll indeed have to look at
creative non-ICMP solutions for PMTUD to happen.
[1] https://tools.ietf.org/html/draft-spiriyath-ipsecme-dynamic-ipsec-pmtu-01.html
[2] https://tools.ietf.org/html/draft-roca-ipsecme-ptb-pts-attack-00
More information about the WireGuard
mailing list