Subject: Re: icmp patches
To: Fernando Gont <fernando@gont.com.ar>
From: Kevin Lahey <kml@patheticgeek.net>
List: tech-net
Date: 07/14/2005 17:13:23
On Thu, 14 Jul 2005 14:35:59 -0300
Fernando Gont <fernando@gont.com.ar> wrote:

> At 10:05 p.m. 13/07/2005, Kevin Lahey wrote:

> >By waiting at least an RTO before acting on packet too big
> >notifications, we're slowing down PMTUD in every case.  This could
> >have a big impact on people behind a small-MTU connection[*].
> 
> Your assumption is completely wrong. The two-phase separation of the PMTUD 
> fix you mean you'll achieve for new connections the same convergence time 
> as the current PMTUD. 

Doh, in my hurry to get out of town, I obviously didn't read either
the code or the draft closely enough.  Sorry.  Clearly, with the special
case checking the size of acked segments, the PMTUD-delay stuff should work
as quickly as the current code.

Does the added complexity of the PMTUD-delay scheme result in significant 
advantages over the simple sequence number checking?  Admittedly, attacking
PMTUD via ICMP will require only the correct guessing of a sequence number,
where TCP RST attacks might require correct guessing of both a sequence
number and an acknowledgement number, but I'm curious about how difficult
this is.

The sequence number and source quench fixes are obviously important to 
implement right away.  I don't think that *I* would add the PMTUD-delay
fix to NetBSD, but I certainly won't object if someone else does.  

> Which is, by far, much smaller than the convergence 
> time that the proposal of the PMTUD WG 
> (http://www.ietf.org/internet-drafts/draft-ietf-pmtud-method-04.txt), of 
> which you are one of the authors.

As you point out publicly elsewhere, the PLPMTUD stuff is totally 
orthogonal to your proposal.  The goal of PLPMTUD is to be able to 
work around PMTUD black holes, situations in which there are no 
ICMP messages at all.

My concerns were with the elegance of the solution, and with
implementing an obviously expired draft that doesn't show up 
on the IETF working group web site with which it was claimed 
it was associated.

After spending almost an entire day reading the TCPM archives, 
I can understand both why it wasn't there, and why you seem to 
be so touchy about the whole thing.  I'm sorry you had such a 
rough time trying to get through a worthwhile proposal.

Kevin
kml@patheticgeek.net