On Sun, Apr 15, 2018 at 7:51 PM, Tim Sedlmeyer <t...@sedlmeyer.org> wrote: > - Which allowed-ip do you use? > - If the allowed-ip is a network, which ip within it do you choose to ping? > - If you are connected to a single peer with an allowed-ip of 0.0.0.0/0 what > ip do you ping?
Yea, the actual IP discovery is a hurdle to figure out. > The allowed-ip isn't guaranteed to be on the same device as the peer so, > in the end you aren't measuring the mtu over the connection between peers > but the complete path to that allowed-ip which could involve more devices and > connections with smaller MTUs than between the peers themselves. That's probably fine and even desirable, since we're looking for the PMTU along a certain route. > See RFC4821, RFC8085 and > https://tools.ietf.org/html/draft-ietf-tsvwg-datagram-plpmtud-01 > for more info about PLMTUD. > > https://datatracker.ietf.org/meeting/101/materials/slides-101-ipsecme-packetization-layer-path-mtu-discovery-01 > has a quick overview of where IPsec stands with implementing it. Thanks for these. I followed the rabbit hole, and found [1], which seems to be the current latest and greatest from the IPsec people. It's probes inside the control plane. Reading the references, such as [2], it seems pretty unanimous that going anywhere near out-of-tunnel ICMP messages is a disaster, as I suggested in the original post here. That's useful confirmation, and I guess we'll indeed have to look at creative non-ICMP solutions for PMTUD to happen. [1] https://tools.ietf.org/html/draft-spiriyath-ipsecme-dynamic-ipsec-pmtu-01.html [2] https://tools.ietf.org/html/draft-roca-ipsecme-ptb-pts-attack-00 _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
