X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=blobdiff_plain;f=NOTES;h=f5ebc652045e20818d83188fd6f919e8deb11b53;hp=7ead923be70060d708e287b24d63a7dc2093e39a;hb=5c19b79c7c817a28a1582970b2685c98e05b2de5;hpb=5b5f297f9a9d47ee7e9804d5bdaa552f1953c6b6 diff --git a/NOTES b/NOTES index 7ead923..f5ebc65 100644 --- a/NOTES +++ b/NOTES @@ -198,6 +198,8 @@ The optional additional data after the sender's name consists of some initial subset of the following list of items: * A 32-bit integer with a set of capability flags, representing the abilities of the sender. + * In MSG3/MSG4: a 16-bit integer being the sender's MTU, or zero. + (In other messages: nothing.) See below. * More data which is yet to be defined and which must be ignored by receivers. The optional additional data after the receiver's name is not @@ -220,6 +222,45 @@ No capability flags are currently defined. Unknown capability flags should be treated as late ones. +MTU handling + +In older versions of secnet, secnet was not capable of fragmentation +or sending ICMP Frag Needed. Administrators were expected to configure +consistent MTUs across the network. + +It is still the case in the current version that the MTUs need to be +configured reasonably coherently across the network: the allocated +buffer sizes must be sufficient to cope with packets from all other +peers. + +However, provided the buffers are sufficient, all packets will be +processed properly: a secnet receiving a packet larger than the +applicable MTU for its delivery will either fragment it, or reject it +with ICMP Frag Needed. + +The MTU additional data field allows secnet to advertise an MTU to the +peer. This allows the sending end to handle overlarge packets, before +they are transmitted across the underlying public network. This can +therefore be used to work around underlying network braindamage +affecting large packets. + +If the MTU additional data field is zero or not present, then the peer +should use locally-configured MTU information (normally, its local +netlink MTU) instead. + +If it is nonzero, the peer may send packets up to the advertised size +(and if that size is bigger than the peer's administratively +configured size, the advertiser promises that its buffers can handle +such a large packet). + +A secnet instance should not assume that just because it has +advertised an mtu which is lower than usual for the vpn, the peer will +honour it, unless the administrator knows that the peers are +sufficiently modern to understand the mtu advertisement option. So +secnet will still accept packets which exceed the link MTU (whether +negotiated or assumed). + + Messages: 1) A->B: *,iA,msg1,A+,B+,nA @@ -291,3 +332,37 @@ vaguely recent version of secnet. (In fact, there is no evidence in the git history of it ever being sent.) This message number is reserved. + +11) *,*,PROD,A,B + +Sent in response to a NAK from B to A. Requests that B initiates a +key exchange with A, if B is willing and lacks a transport key for A. +(If B doesn't have A's address configured, implicitly supplies A's +public address.) + +This is necessary because if one end of a link (B) is restarted while +a key exchange is in progress, the following bad state can persist: +the non-restarted end (A) thinks that the key is still valid and keeps +sending packets, but B either doesn't realise that a key exchange with +A is necessary or (if A is a mobile site) doesn't know A's public IP +address. + +Normally in these circumstances B would send NAKs to A, causing A to +initiate a key exchange. However if A and B were already in the +middle of a key exchange then A will not want to try another one until +the first one has timed out ("setup-time" x "setup-retries") and then +the key exchange retry timeout ("wait-time") has elapsed. + +However if B's setup has timed out, B would be willing to participate +in a key exchange initiated by A, if A could be induced to do so. +This is the purpose of the PROD packet. + +We send no more PRODs than we would want to send data packets, to +avoid a traffic amplification attack. We also send them only in state +WAIT, as in other states we wouldn't respond favourably. And we only +honour them if we don't already have a key. + +With PROD, the period of broken communication due to a key exchange +interrupted by a restart is limited to the key exchange total +retransmission timeout, rather than also including the key exchange +retry timeout.