Updated ICMP PMTU section

[igorlord]

Per request of the editors, here is a draft PR for ICMP PMTU section.
I am deliberately not including text for #1243 here. (That can be a subsequent PR.)

[ianswett]

This looks good, but I'd like someone who's more of an expert in ICMP to read it, so I'm adding @martinduke

[ianswett]

To what? How about one outstanding PATH_CHALLENGE at once?

[igorlord]

I'll rewrite this completely.

[ianswett]

I thought we were recommending setting DF on all packets?

[mikkelfj]

I also wondered ...

[igorlord]

That was one of the original proposals. But I agree -- this is not the best idea. I'll revise.

[martinthomson]

Thanks for doing this Igor.

This is a lot of new words, but generally good. I think that we probably need to do something to break this up a little.

I also think that implementations will not be able to save anything of the IP ID, and won't be inclined to save anything from the packet. So we might want to suggest a mode switch when a packet is received.

[martinthomson]

"classical" isn't a useful description of the mechanism. If you need to distinguish this between PLPMTUD, talk about using ICMP feedback.

[igorlord]

How strongly do you feel against word "classical"? It is used in other RFCs for the purpose I am using it here. See https://tools.ietf.org/html/rfc4821 and https://tools.ietf.org/html/rfc5320.

[martinduke]

How about "ICMP-based"? This eliminates all ambiguity and saves people the trouble of clicking through references to know what we're talking about.

[janaiyengar]

I think the context does make it clear, but @martinduke's suggestion seems reasonable.

[martinthomson]

typo: prooff

[martinthomson]

How does one make this determination?

[igorlord]

You are right. This needs revising.

[martinthomson]

More IPv4 advice, which should be called out as such. I don't think that senders will remember this if it is not predictable.

[martinthomson]

PTB?

[martinthomson]

SHOULD?

[martinthomson]

I think that this disagrees with the conclusion of the working group - we agreed that a PMTU of 1280 was necessary to support QUIC and that the response to a reduction in size was to ignore the signal. If the signal is true, this causes the connection to fail, but that's OK.

[igorlord]

This is specifically done during the handshake. The language here is trying to stay in agreement with the decision that PMTU < 1280 does not support QUIC. Which ones of the statements is the concern:

1. to switch IPs (but stick w/ QUIC), if multiple IPs are available for the server?
2. to switch protocols, if we have an on-path validation of the signal?

Would you rather see all PMTU<1280 signals ignored (and not switch to TCP, if available, for example)?

[martinthomson]

Where did this 1392 come from?

[igorlord]

Somewhat arbitrary, examining various tunneling protocols out there to see what seems like a conservative-enough number that is not too small to be significantly concerned with degraded performance. This number would certainly need a wg consensus.

The goal was to make sure that in the common case (no attack), we can switch to a workable PMTU immediately.

Of course, if the wg believes that 1280 is "large enough" to use it immediately, this would simplify things.

[martinthomson]

SHOULD?

If "SHOULD", how does an endpoint decide to do this (or not). If it is purely a rate-limiting thing, then maybe different words would help.

[igorlord]

Fixing and rewriting this.

[martinduke]

There a bunch of nits, but I have three higher-level comments:

1. There are no MUSTs in the ICMP stuff because you don't always control that in user space. We reached consensus before that PLPMTUD was a SHOULD and all ICMP stuff was a MAY; we should socialize this in the whole group if we upend that now. You've slipped in some SHOULDs that muddy those waters.

2. The added clarification around handshake/non-handshake, and the explicit call for some validation of QUIC headers, if available, is valuable.

3. A big part of this PR is a rewrite of how to handle it when ICMP gives you only 8 bytes. I found the original text to be more clear and concise than the new text, but perhaps we can discuss what the motivation for this rewrite is.

[martinduke]

How about "ICMP-based"? This eliminates all ambiguity and saves people the trouble of clicking through references to know what we're talking about.

[martinduke]

I disagree with the statement that some ICMP messages have no proof. The 8-byte trailer is sufficient as a proof for TCP, and even if the QUIC case there is enough entropy if we store the right things.

[martinduke]

Zooming out a bit, I think the original text of this section is a bit clearer about what the real problem is. I do think it could use a paragraph like "endpoints SHOULD use fields from the QUIC header, if provided in the ICMP message, to validate that a QUIC packet in flight might have generated the ICMP message." And leave the rest unchanged.

[igorlord]

I'd say that not just the QUIC header but, more importantly, the QUIC encrypted section, since it has more entropy.

But, I agree, instead of coming up with metrics, we should just leave the specifics undefined. I like your wording. Will adapt and incorporate.

[igorlord]

(As for an 8-byte proof, it is sufficient for TCP but not QUIC, since 8 bytes only cover two UDP ports, length and checksum. Hence this entire discussion.)

[martinduke]

The problem with MUSTs in this section is that some user space implementations may not have any control over ICMP handling logic.

[igorlord]

The language in this section says that validation is a SHOULD. But if that validation fails, discarding is a MUST. (And if the validation is not done, since it is not mandatory, then the signal SHOULD be treated as a signal without an on-path proof.)

Do you still think this is a problem?

[igorlord]

@janaiyengar is suggesting that not doing (or not being able to do) a validation means it is a SHOULD MUST to treat the signal as not having an on-path proof. It makes sense to me.

[martinduke]

... SHOULD be provisional...

[martinduke]

SHOULD

[martinduke]

SHOULD

[martinduke]

I like how you separate the handshake issues here, but these also apply to PLPMTUD, yes?

[igorlord]

PLPMTUD take time to do its work (it is loss/timeout-based). The purpose of this discussion is to identify conditions, when you can trust ICMP immediately and not have to resort to PLPMTUD (especially during handshake).

[martinduke]

This is a significant change. The spec suggests ("SHOULD") that PLPMTUD be used. ICMP-based PMTUD is strictly a MAY.

[igorlord]

Yes, this would need to be reconfirmed. I do believe that we should encourage implementations to use the best available signal, including ICMP, especially when we have reasons to trust it. Performance is important for QUIC, and it is double-important for handshake, and ICMP works much faster than PLPMTUD.

[igorlord]

Re-reading PLPMTUD, the draft says explicitly that it is an extension to the classical (ICMP-based) PMTU discovery process and its prescriptions are to be used in cases where ICMP-based PMTU discovery cannot be done. So say that PLPMTUD is a SHOULD is effectively saying that ICMP is a SHOULD (as much as practicable).

[martinduke]

Same comment: we're elevating ICMP response from a MAY to a SHOULD.

[martinduke]

I guess you deleted this because it didn't meet your 1/2^32 standard?

[igorlord]

LOL. Mostly because I received comments that we recommend DF to be set on all packets, and this is going against that recommendation.

(But being pedantic, that standard was for on-path proof, while this discussion is for validation packets w/o on-path proof.)

More importantly, the entire standard thing is gone now. I will further revise it to use your latest feedback as to the wording (ie. "use the data from the packet" instead of prescribing standards or which data to use).

[janaiyengar]

Thanks for getting this going, @igorlord ! A few comments, mostly editorial.

[janaiyengar]

I think the context does make it clear, but @martinduke's suggestion seems reasonable.

[janaiyengar]

ditto. Also, Capitalize This Section Title.

[janaiyengar]

the messages -> messages

[janaiyengar]

This sentence is a bit hard to follow. Also, it's possible that the ICMP message was received after the sender deemed it lost, since the sender may have been too earnest in marking it lost. Perhaps remove the requirement that it not be marked as lost yet? How about the following: "To validate an ICMP message containing on-path proof, the proof MUST be from a QUIC packet that is not yet acknowledged."

[janaiyengar]

To perform the on-path validation -> To validate a received ICMP message

[janaiyengar]

an on-path proof -> on-path proof

[janaiyengar]

the protocol implementation -> an endpoint

[janaiyengar]

an on-path proof -> on-path proof

[janaiyengar]

This paragraph seems quite redundant. I would replace it with one sentence with recommendation for what state a sender can store to validate proof in ICMP messages.

[janaiyengar]

then -> they

[igorlord]

I've made updates per feedback received. There are two points of discussion left (that I know of):

1. This is promoting ICMP processing to a SHOULD. I think this is a correct thing to do, since PLPMTUD claims itself to be an extension of ICMP-based PMTUD process. Of course, implementations w/o access to ICMP would not be able to implement this SHOULD, but this is ok albeit unfortunate -- the very definition of a SHOULD (skipping on MAY is not "unfortunate").

2. I am using a mostly made up number (1392) as "conservative enough to be believed w/o on-path proof". It was a compromise between "small enough for most Internet tunnels" and "not that small that someone would go into troubles of maliciously reducing PMTU of the victim to that number". This may need a discussion.

[ianswett]

@igorlord This hasn't been updated in a while and I think PR #2036 may have covered some of the items you were working on. Can you either update this PR or close it as being now obsolete?

[igorlord]

@ianswett, yes, much has changed since. Let's close this PR. Instead, I've posted a simpler #2108 and #2109 that may need a short discussion.