On Sun, Apr 15, 2018 at 6:06 PM, Tim Sedlmeyer <t...@sedlmeyer.org> wrote: > PMTUD on the Internet is often broken and increasingly becoming more > broken, so in my opinion introducing any level of potential security > concern to support it would be unwise.
I was wondering if there's actually an appropriate use case for PMTUD within networks that are well behaved. For example, within various intranets, or between physical sites within a campus. Perhaps these aren't relevant, since they're centrally managed anyway, and so we should just give up with PMTUD all together? > If MTU issues are regularly presenting a significant issue to > successful deployment of wireguard than in the short term I would > suggest doing what many ipsec implementations do, give up some > performance in order to increase the likelihood of successful > transmission by assigning a default MTU significantly small enough to > avoid issues in the vast majority of circumstances. For instance by > default the OS X ipsec vpn implementation assigns an MTU of 1280, the > minimum IPv6 datagram size, to the tunnel by default. Cisco assigns an > MTU of 1300 by default. Not a bad idea for end user clients. Ugly, but maybe nobody would be too perturbed. wg-quick(8) has an MTU= parameter, after all, which could be set to 1280. > In the long term some form of packetization layer path mtu discovery > probably should be added to the wireguard protocol itself. Perhaps by > padding the first message of the handshake to utilize it as a mtu > discovery probe. I was thinking about implementing something like this on top of WireGuard -- a basic ping probe tool that walks through each peer and tries to ping one of its allowed IPs within the tunnel. Maybe this would take care of most peoples' use cases. It is explicit, however, rather than the nice on-demand automatic aspect of traditional PMTUD. But anyway, all of this falls into the category of, "let's just not do PTMUD." I'm still not convinced it's impossible to do securely, mostly because I haven't heard anybody explicitly say, "we thought about this for 25 years and it can't be done." _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard