From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: WireGuard mailing list <wireguard@lists.zx2c4.com>
Cc: Roman Mamedov <rm@romanrm.net>, zrm <zrm@trustiosity.com>,
StarBrilliant <coder@poorlab.com>,
Baptiste Jonglez <baptiste@bitsofnetworks.org>,
Joe Holden <jwh@zorins.us>,
Nico Schottelius <nico.schottelius@ungleich.ch>,
Vasili Pupkin <diggest@gmail.com>,
peter@fiberdirekt.se
Subject: Re: potentially disallowing IP fragmentation on wg packets, and handling routing loops better
Date: Mon, 7 Jun 2021 11:34:21 +0200 [thread overview]
Message-ID: <CAHmME9rj9M=5G6oh+ZKQjekxWFp-5sF4MWux2==2V4X2UtYkag@mail.gmail.com> (raw)
In-Reply-To: <CAHmME9rNnBiNvBstb7MPwK-7AmAN0sOfnhdR=eeLrowWcKxaaQ@mail.gmail.com>
Hey folks,
There seems to be a bit of confusion about *which* stage of
fragmentation would be affected by the proposal, so I drew some
diagrams to help illustrate what I'm talking about. Please take a
look:
https://data.zx2c4.com/potential-wg-fragmentation-proposal.png
1) Ingress fragmentation would not be affected by this and is not
relevant for this discussion. This is the case in which a computer
gets a packet for forwarding out of the wireguard interface, and it's
larger than the interface's mtu, so the computer fragments it before
passing it onto that interface. I'm not suggesting any change in this
behavior.
2) Local egress fragmentation WOULD be affected by this and is the
most relevant thing in this discussion. In this case, a packet that
gets encrypted and winds up being larger than the mtu of the interface
that the encrypted packet will go out of gets fragmented. In this
case, we could likely respond with an ICMP packet or similar in-path
error. But keep in mind this whole situation is local: it usually will
only happen out of misconfiguration. The best fix for the diagram I
drew would be for the administrator to decrease the MTU of the
wireguard interface to 1412.
3) Path egress fragmentation COULD be affected by this, but doesn't
have to be. In this case, we simply set "don't fragment" on encrypted
egress packets, which means they won't be fragmented by other
computers along the path.
So, of those concerned about this, which concerns are actually about
(2) and (3)? Of those, which ones are about (2)? If you have concerns
specifically about (2) that couldn't be fixed with reasonable system
administration, I'd like to hear why and what the setup is that leads
to that situation.
As an aside, Roman asked about TTL. When tunneling, the outer packet
header always must take the new TTL of the route to the tunnel
endpoint, and not do anything with the potentially much smaller inner
TTL. So with tunneling, you can't quite rely on the TTL to drop to
zero as you'd wish. Hence, I'm interested in using the natural packet
size expansion instead.
Thanks for the discussion so far. I'm very interested to read
clarifying points about applicability to case (2) (and to a lesser
extent, about case (3)).
Thanks,
Jason
next prev parent reply other threads:[~2021-06-07 9:34 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-06 9:13 Jason A. Donenfeld
2021-06-06 9:32 ` Nico Schottelius
2021-06-06 10:39 ` Vasili Pupkin
2021-06-06 11:14 ` Peter Linder
2021-06-07 11:58 ` Derek Fawcus
2021-06-06 19:03 ` Roman Mamedov
2021-06-06 22:33 ` Joe Holden
2021-06-07 9:34 ` Jason A. Donenfeld [this message]
2021-06-07 11:13 ` Roman Mamedov
2021-06-07 11:27 ` Jason A. Donenfeld
2021-06-07 11:46 ` Roman Mamedov
2021-06-07 11:55 ` Peter Linder
2021-06-07 18:50 ` Roman Mamedov
2021-06-07 11:18 ` Nico Schottelius
2021-06-09 23:26 ` Vasili Pupkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHmME9rj9M=5G6oh+ZKQjekxWFp-5sF4MWux2==2V4X2UtYkag@mail.gmail.com' \
--to=jason@zx2c4.com \
--cc=baptiste@bitsofnetworks.org \
--cc=coder@poorlab.com \
--cc=diggest@gmail.com \
--cc=jwh@zorins.us \
--cc=nico.schottelius@ungleich.ch \
--cc=peter@fiberdirekt.se \
--cc=rm@romanrm.net \
--cc=wireguard@lists.zx2c4.com \
--cc=zrm@trustiosity.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).