Re: Is Fragmentation at IP layer even needed ?

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Fri, 12 February 2016 04:00 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D28A1B3F2B for <ietf@ietfa.amsl.com>; Thu, 11 Feb 2016 20:00:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.608
X-Spam-Level:
X-Spam-Status: No, score=0.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RP_MATCHES_RCVD=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FOpGZmDQS6Ug for <ietf@ietfa.amsl.com>; Thu, 11 Feb 2016 20:00:38 -0800 (PST)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by ietfa.amsl.com (Postfix) with SMTP id 9CD4A1B3F1E for <ietf@ietf.org>; Thu, 11 Feb 2016 20:00:37 -0800 (PST)
Received: (qmail 41243 invoked from network); 12 Feb 2016 03:41:22 -0000
Received: from necom830.hpcl.titech.ac.jp (HELO ?127.0.0.1?) (131.112.32.132) by necom830.hpcl.titech.ac.jp with SMTP; 12 Feb 2016 03:41:22 -0000
Subject: Re: Is Fragmentation at IP layer even needed ?
To: Mark Andrews <marka@isc.org>
References: <CAOJ6w=EvzE3dM4Y2mFFR=9YyPBdmFu_jkF4-42LjkdbRd3yz_w@mail.gmail.com> <BLUPR05MB1985F5F2BB3118362C67B921AED50@BLUPR05MB1985.namprd05.prod.outlook.com> <20160208200943.A615941B5B96@rock.dv.isc.org> <CAMm+LwgLoYpQ1TNOTOuJzh+cu+GyRBf9=y_K7K35boQ9WcZKjA@mail.gmail.com> <56B92A96.9050200@si6networks.com> <CAMm+LwifTXvVd1mPZOfcOOR03Fnj-82H9aDVS01=wGezePtnXw@mail.gmail.com> <56BA4BC7.1010002@isi.edu> <CAMm+Lwi-n=be4AWGibs+Zq9egYw5pSDmPGb-4P0LDEcX1E6osA@mail.gmail.com> <56BA68CE.7090304@isi.edu> <CAMm+LwiM2sFUeejgJZe650UQbVHrh7EHrEF2omvPrZJPodgJLA@mail.gmail.com> <56BA739D.7060309@isi.edu> <CAMm+Lwij1dOkK0b2ZnJiPMtba=wc823WgYjqw0iwAApa3KBYcg@mail.gmail.com> <56BA95C7.8060109@isi.edu> <56BAD6CC.2030209@necom830.hpcl.titech.ac.jp> <56BBAAF7.6020903@isi.edu> <56BC9516.6050305@necom830.hpcl.titech.ac.jp> <56BCCBB4.4050909@isi.edu> <56BCF514.6040401@necom830.hpcl.titech.ac.jp> <20160212033031.39F25420758B@rock.dv.isc.org>
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Message-ID: <56BD58DF.9020508@necom830.hpcl.titech.ac.jp>
Date: Fri, 12 Feb 2016 13:00:31 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <20160212033031.39F25420758B@rock.dv.isc.org>
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/EkVROPriI5IKhDAbX9idOJToQ7U>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2016 04:00:39 -0000

Mark Andrews wrote:

>> Remember, with IPv6, the firewall can't fragment the reassembled
>> packets. So, no, unless the firewall output reassembled packets,
>> which may be larger than MTU of an outgoing link, it is not "act
>> like that's what's happening".
> 
> The key words were "act like that's what's happening".  You can
> hold fragments until you see the first fragment, check it, then
> release all matching fragments.

Thus, a set of packets are investigated and there is no
reassembly happening.

It is merely that some firewalls sometimes change filtering
behavior by investigating a set of packets (like snooping
ftp command stream to open data port, which no one call virtual
TCP streaming), regardless of whether the packets are fragments
of a packet or not.

> You can virtually reassemble all
> the fragments then release them all if you need to see the entire
> packet.  There has never been a need to throw away all fragments.

Ok, ok. Though something you call "virtual reassembly" is not
reassembly at all, its processing cost is equivalent to real
reassembly. That is, you are saying fragmentation and reassembly
are so easy that there is no need to avoid them.

So, let's revise IPv6 and use fragmentation everywhere. There has
never been a need for impossible PMTUD.

> Only poor purchasing decisions causing everyone else to have to
> work around them.

It is caused primarily by stupid design of IPv6.

						Masataka Ohta