On 06/ 1/10 09:50 PM, Vishwas Manral wrote:
Hi Erik,
Sorry for the late response.
One thing I wanted to clarify was that not everytime we add data do we
change the source address. IPsec transport mode is a case in point. I
guess others have pointed out other cases. Can you explain your views
on the same?
The IPsec transport vs. tunnel mode is somewhat decoupled from whether
or not the packet is encapsulated with an outer IP header. It can be
used when the packet is encapsulated, although it is more common to use
tunnel mode in that case. But you are thinking of the non-encapsulated
case, which can only be done on the sending system i.e. on the system
that is in the IPv6 source address field.
Here is how ESP is done:
BEFORE APPLYING ESP
---------------------------------------
IPv6 | | ext hdrs | | |
| orig IP hdr |if present| TCP | Data |
---------------------------------------
AFTER APPLYING ESP
---------------------------------------------------------
IPv6 | orig |hop-by-hop,dest*,| |dest| | | ESP | ESP|
|IP hdr|routing,fragment.|ESP|opt*|TCP|Data|Trailer| ICV|
---------------------------------------------------------
|<--- encryption ---->|
|<------ integrity ------>|
Here the orig IP hdr has a source address which is assigned to the
system which is originating the TCP packet *and* applying ESP to the packet.
Thus the way to handle path MTU and TCP MSS calculations is a local
matter to that stack's implementation.
In no case can be above type of application of ESP be done in a router
along the path.
The first thing is IPv6 MTU discovery is optional and the only
requirement is that the Minimum MTU is satisfied.
Yes, but 1280 plus a routing header will exceed 1280.
Thus the minimum MTU by itself doesn't save you.
One thing to consider is 802.15.4 has an MTU of only 127 octets. There
is a fragmentation and reassembly layer below the IP layer to satisfy
the MTU at each IP hop (just read RFC 4944). Once that is present in
my view it is not a problem to reassemble a larger packet. 802.15.4
experts would however be better suited to answer the question.
I don't see what it has to do with the details of 15.4.
What might be helpful is that the MTU for 4944 is defined to be no more
than the IPv6 minumum. RFC 4944 says
The MTU size for IPv6 packets over IEEE 802.15.4 is 1280 octets.
Thus assuming ROLL is never applied to anything but RFC 4944 networks
(which may or may not be a valid assumption), then we know that once a
ROLL router has added the RH4 (and verified that the result is less than
1280 bytes) then there can be no subsequent issue with exceeding the MTU
since subsequent ROLL routers will have an interface MTU of 1280 bytes.
But this is not the case if ROLL is ever applied to networks that have
an interface MTU larger than 1280.
Note that when a ROLL router wants to add RH4 it does have to check that
the result wouldn't exceed 1280 bytes (the outgoing interface MTU). If
it would, then the IPv6 packet would need to be fragmented by the ROLL
router before RH4 is added to each fragment.
However, IPv6 routers can only fragment when they originate packets
according to RFC 2460. And fragmentation elsewhere would be risky since
it requires "inventing" the 32 bit fragment IDs that the original sender
own.
Thus I'm having a hard time seeing how what you are proposing fits with
the IP architecture. The sane way is to have the ingress ROLL router add
an IPv6 header and RH4 to the original packet, and then fragment that if
the result exceeds the interface or tunnel MTU. FWIW this is exactly how
router applies IPsec to a forwarded packet.
There is a very big difference.
Tunneling means that the entity which added the tunneling headers is
in the source IP address field in the outer header. Thus ICMP errors
will be sent packet to the tunnel entry point. It can then compensate
for the added headers by sending an ICMP packet too big with a
smaller MTU back to the original source. This how IPvx in IPvy
tunneling is done. See for instance RFC 4213 and RFC 2473.
You seem to take things literally. Can you explain the behavior in the
case of IPsec transport mode where no new IP header is added and how
it is different?
See above.
You didn't seem to care reading this paragraph:
The big difference is that when a router does something to grow the size of
the packet (for instance, inserting a routing header) and it does not add an
outer IP header with its source address, then the ICMP errors will go back
to the original sender without being adjusted for the added header.
We can talk about it on the phone - that might be more efficient than
these emails.
Erik
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
