Dear Experts: Recently we ran into a real problem in some IPsec use case - In customer application scenarios, ESP packets are fragmented, which causes many problems - Including performance problems, device resource problems, and even traffic loss (In customer use case, it is IPsec over NAT scenarios so ESP packets are encapsulated by UDP. Therefore, except for the initial fragment that contains complete UDP header, other fragments can only indicate UDP protocol in the IP address, but do not have UDP header. Therefore, they may be incorrectly identified by other applications and captured - The fragmented IP payload is regarded as a UDP header. ESP cannot be reassembled and the package is lost).
Existing ICMP/PMTUD (IPv6), or manual modification of router MTU seems to solve some similar problems, but does not seem to be so ideal in the real world. For example, the real problem this time is that the untrusted network is uncontrollable and the user has no right or ability to modify the MTU/configuration of the device, it is a general case. At the same time, some routers do not support (or enable) PMTU, making the problem seemingly insoluble; We'd like to have a responsible approach - Supported by IKEv2 itself and independent of the external environment/protocol - to solve such problems, so this document defines the allowed Maximum Transmission Unit (MTU) extension that enables to automatically detect MTU allowed on forwarding path of each IKEv2 session to prevent ESP packets from being fragmented. The below announcement is that draft. We would like to work with the community to improve and clarify tech draft. Brs -----Original Message----- From: internet-dra...@ietf.org <internet-dra...@ietf.org> Sent: Wednesday, February 23, 2022 2:27 PM To: Congjie Zhang <congjie.zh...@ericsson.com>; Harold Liu <harold....@ericsson.com>; Daniel Migault <daniel.miga...@ericsson.com>; Renwang Liu <renwang....@ericsson.com> Subject: New Version Notification for draft-liu-ipsecme-ikev2-mtu-dect-00.txt A new version of I-D, draft-liu-ipsecme-ikev2-mtu-dect-00.txt has been successfully submitted by Daiying Liu and posted to the IETF repository. Name: draft-liu-ipsecme-ikev2-mtu-dect Revision: 00 Title: IKEv2 MTU Detection Extension Document date: 2022-02-21 Group: Individual Submission Pages: 8 URL: https://www.ietf.org/archive/id/draft-liu-ipsecme-ikev2-mtu-dect-00.txt Status: https://datatracker.ietf.org/doc/draft-liu-ipsecme-ikev2-mtu-dect/ Htmlized: https://datatracker.ietf.org/doc/html/draft-liu-ipsecme-ikev2-mtu-dect Abstract: This document defines the Internet Key Exchange Version 2 (IKEv2) allowed Maximum Transmission Unit (MTU) extension that enables to automatically detect MTU allowed on forwarding path of each IKEv2 session to prevent Encapsulating Security Payload (ESP) packets from being fragmented. The IETF Secretariat _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
