You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cunicu currently attempts at auto-detecting a correct tunnel MTU by taking the link/route MTUs into consideration.
However, this will not be optimal as the path MTU can be smaller than the link MTUs.
Such cases can be detected via PMTUD.
However, there is another twist to this.
In larger WireGuard meshes we somehow need to coordinate all peers to use the smallest of all peer-to-peer path MTUs.
This can be achieved via our signaling backend by including a detected path MTU into the peer descriptions.
The text was updated successfully, but these errors were encountered:
There is a quite helpful discussion on the WireGuard mailing list which I have linked above.
Similar discussions have been held by the IPsec community which deals with similar issues.
The conclusion of these discussions is, that tunnel protocols should not relay on ICMP packet-to-big (PTB) messages from outside the tunnel as these are not authenticated and can be forged. This would allow attackers to purposefully reduce the tunnel MTU to perform a DoS attack or infer information about the encrypted payloads.
Performing classing PMTUD through the tunnel is not working. Instead PLMTUD seems the way to go here.
cunicu currently attempts at auto-detecting a correct tunnel MTU by taking the link/route MTUs into consideration.
However, this will not be optimal as the path MTU can be smaller than the link MTUs.
Such cases can be detected via PMTUD.
However, there is another twist to this.
In larger WireGuard meshes we somehow need to coordinate all peers to use the smallest of all peer-to-peer path MTUs.
This can be achieved via our signaling backend by including a detected path MTU into the peer descriptions.
The text was updated successfully, but these errors were encountered: