From: Nico Schottelius <nico.schottelius@ungleich.ch>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>,
Roman Mamedov <rm@romanrm.net>, zrm <zrm@trustiosity.com>,
StarBrilliant <coder@poorlab.com>,
Baptiste Jonglez <baptiste@bitsofnetworks.org>,
Joe Holden <jwh@zorins.us>,
Nico Schottelius <nico.schottelius@ungleich.ch>,
Vasili Pupkin <diggest@gmail.com>,
peter@fiberdirekt.se
Subject: Re: potentially disallowing IP fragmentation on wg packets, and handling routing loops better
Date: Mon, 07 Jun 2021 13:18:35 +0200 [thread overview]
Message-ID: <87fsxtvs6s.fsf@ungleich.ch> (raw)
In-Reply-To: <CAHmME9rj9M=5G6oh+ZKQjekxWFp-5sF4MWux2==2V4X2UtYkag@mail.gmail.com>
Hey Jason,
Jason A. Donenfeld <Jason@zx2c4.com> writes:
> Hey folks,
>
> There seems to be a bit of confusion about *which* stage of
> fragmentation would be affected by the proposal, so I drew some
> diagrams to help illustrate what I'm talking about. Please take a
> look:
>
> https://data.zx2c4.com/potential-wg-fragmentation-proposal.png
I love the math: 2792 = 1420 + 1420 = 1500 + 1500
Joke aside, ...
> 1) Ingress fragmentation would not be affected by this and is not
> relevant for this discussion. This is the case in which a computer
> gets a packet for forwarding out of the wireguard interface, and it's
> larger than the interface's mtu, so the computer fragments it before
> passing it onto that interface. I'm not suggesting any change in this
> behavior.
I believe this is something wireguard cannot influence *anyway* as the
sending side can send any sized packet towards us.
> 2) Local egress fragmentation WOULD be affected by this and is the
> most relevant thing in this discussion. In this case, a packet that
> gets encrypted and winds up being larger than the mtu of the interface
> that the encrypted packet will go out of gets fragmented. In this
> case, we could likely respond with an ICMP packet or similar in-path
> error. But keep in mind this whole situation is local: it usually will
> only happen out of misconfiguration. The best fix for the diagram I
> drew would be for the administrator to decrease the MTU of the
> wireguard interface to 1412.
So how does that behave in the situation that the upstream interface or
routes change? Let's say WG MTU = 1412, original PMTU = 1500, decreases
to 1420. Would that reduce the WG mtu automatically to 1332? I guess
not. So what happens with packets arrive with size = 1420?
> 3) Path egress fragmentation COULD be affected by this, but doesn't
> have to be. In this case, we simply set "don't fragment" on encrypted
> egress packets, which means they won't be fragmented by other
> computers along the path.
That's true, but then it would be required to fragment them locally,
wouldn't it?
I'm trying to wrap my head around this in comparison to IPv6/IPv4: In
the IPv6 world we don't have fragmentation on the path, it's always
client based. In the IPv4 world routers can dis/re-assemble packets on
the way.
If I understand it correctly, you are somewhat suggestion that wireguard
behaves a bit like an IPv6 router, albeit for both the v6 and the v4
world. Is that comparison making sense somehow?
I think it would be easier to understand, if there was a demo case, a
sample tunnel that rejects packets, if fragmentation is needed. What
would be the appropriate ICMP message for an IPv4 packet that does not
include the DF bit?
So far, I'm not fully convinced the approach is a smart way, especially
not when it comes to handling network debugging and given that we do
already have a TTL that should be a loop prevention as well.
Best regards,
Nico
--
Sustainable and modern Infrastructures by ungleich.ch
next prev parent reply other threads:[~2021-06-07 11:19 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-06 9:13 potentially disallowing IP fragmentation on wg packets, and handling routing loops better Jason A. Donenfeld
2021-06-06 9:32 ` Nico Schottelius
2021-06-06 10:39 ` Vasili Pupkin
2021-06-06 11:14 ` Peter Linder
2021-06-07 11:58 ` Derek Fawcus
2021-06-06 19:03 ` Roman Mamedov
2021-06-06 22:33 ` Joe Holden
2021-06-07 9:34 ` Jason A. Donenfeld
2021-06-07 11:13 ` Roman Mamedov
2021-06-07 11:27 ` Jason A. Donenfeld
2021-06-07 11:46 ` Roman Mamedov
2021-06-07 11:55 ` Peter Linder
2021-06-07 18:50 ` Roman Mamedov
2021-06-07 11:18 ` Nico Schottelius [this message]
2021-06-09 23:26 ` Vasili Pupkin
[not found] <gxES.4zxnvP9N2kSJa1NGITwbXw@t8xeHZrp0E6un9AocFqL84lJhFB_QEtHqmTZgcSOnX0.xz>
2024-11-18 14:31 ` Orsiris de Jong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fsxtvs6s.fsf@ungleich.ch \
--to=nico.schottelius@ungleich.ch \
--cc=Jason@zx2c4.com \
--cc=baptiste@bitsofnetworks.org \
--cc=coder@poorlab.com \
--cc=diggest@gmail.com \
--cc=jwh@zorins.us \
--cc=peter@fiberdirekt.se \
--cc=rm@romanrm.net \
--cc=wireguard@lists.zx2c4.com \
--cc=zrm@trustiosity.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.