PMTU Discovery Security Concerns

Derek Fawcus dfawcus+lists-wireguard at
Fri Apr 20 13:11:36 CEST 2018

On Mon, Apr 16, 2018 at 07:23:29AM +0200, Jason A. Donenfeld wrote:
> > See RFC4821, RFC8085 and
> >
> > for more info about PLMTUD.
> >
> >
> > has a quick overview of where IPsec stands with implementing it.
> Thanks for these. I followed the rabbit hole, and found [1], which
> seems to be the current latest and greatest from the IPsec people.
> It's probes inside the control plane.

Using something based upon that UDP version of PLMTUD would seem to
be the correct approach, sending probe packets protected by the
encryption layer.

Rather than have it totally based upon the control layer, one could
use a data layer notification of decrypted packets arriving to
indicate that certain sizes have been received, then reflect those
back to the sender in a minimal encrypted ack packet.  i.e. something
similar to how solicited probe responses operate for IPv6 NDP.

Keep in mind that the PMTU may be different in the two directions.


More information about the WireGuard mailing list