IETF Logo Mail Archive

RE: Is Fragmentation at IP layer even needed ?

"Templin, Fred L" <Fred.L.Templin@boeing.com> Thu, 11 February 2016 18:07 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54DB71B3833 for <ietf@ietfa.amsl.com>; Thu, 11 Feb 2016 10:07:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o0eh6wj4ubzV for <ietf@ietfa.amsl.com>; Thu, 11 Feb 2016 10:07:39 -0800 (PST)
Received: from phx-mbsout-02.mbs.boeing.net (phx-mbsout-02.mbs.boeing.net [130.76.184.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA3CF1B3460 for <ietf@ietf.org>; Thu, 11 Feb 2016 10:07:39 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id u1BI7dbg055392; Thu, 11 Feb 2016 11:07:39 -0700
Received: from XCH-BLV-201.nw.nos.boeing.com (xch-blv-201.nw.nos.boeing.com [10.57.37.66]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id u1BI7SCS054926 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK); Thu, 11 Feb 2016 11:07:29 -0700
Received: from XCH-BLV-105.nw.nos.boeing.com ([169.254.5.221]) by XCH-BLV-201.nw.nos.boeing.com ([169.254.1.214]) with mapi id 14.03.0235.001; Thu, 11 Feb 2016 10:07:27 -0800
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Joe Touch <touch@isi.edu>, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, "ietf@ietf.org" <ietf@ietf.org>
Subject: RE: Is Fragmentation at IP layer even needed ?
Thread-Topic: Is Fragmentation at IP layer even needed ?
Thread-Index: AQHRZPXFk/ZV9VXlO0mYqSjUQYKAMZ8nI0Iw
Date: Thu, 11 Feb 2016 18:07:26 +0000
Message-ID: <2134F8430051B64F815C691A62D9831833966938@XCH-BLV-105.nw.nos.boeing.com>
References: <CAOJ6w=EvzE3dM4Y2mFFR=9YyPBdmFu_jkF4-42LjkdbRd3yz_w@mail.gmail.com> <BLUPR05MB1985F5F2BB3118362C67B921AED50@BLUPR05MB1985.namprd05.prod.outlook.com> <20160208200943.A615941B5B96@rock.dv.isc.org> <CAMm+LwgLoYpQ1TNOTOuJzh+cu+GyRBf9=y_K7K35boQ9WcZKjA@mail.gmail.com> <56B92A96.9050200@si6networks.com> <CAMm+LwifTXvVd1mPZOfcOOR03Fnj-82H9aDVS01=wGezePtnXw@mail.gmail.com> <56BA4BC7.1010002@isi.edu> <CAMm+Lwi-n=be4AWGibs+Zq9egYw5pSDmPGb-4P0LDEcX1E6osA@mail.gmail.com> <56BA68CE.7090304@isi.edu> <CAMm+LwiM2sFUeejgJZe650UQbVHrh7EHrEF2omvPrZJPodgJLA@mail.gmail.com> <56BA739D.7060309@isi.edu> <CAMm+Lwij1dOkK0b2ZnJiPMtba=wc823WgYjqw0iwAApa3KBYcg@mail.gmail.com> <56BA95C7.8060109@isi.edu> <56BAD6CC.2030209@necom830.hpcl.titech.ac.jp> <56BBAAF7.6020903@isi.edu> <56BC9516.6050305@necom830.hpcl.titech.ac.jp> <56BCCBB4.4050909@isi.edu>
In-Reply-To: <56BCCBB4.4050909@isi.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.247.104.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/pGlGwceHhAGbNjbkmyZ-llQo6hI>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2016 18:07:41 -0000

Hi Joe,

> -----Original Message-----
> From: ietf [mailto:ietf-bounces@ietf.org] On Behalf Of Joe Touch
> Sent: Thursday, February 11, 2016 9:58 AM
> To: Masataka Ohta; ietf@ietf.org
> Subject: Re: Is Fragmentation at IP layer even needed ?
> 
> 
> 
> On 2/11/2016 6:05 AM, Masataka Ohta wrote:
> > Joe Touch wrote:
> >
> >> I repeat: nodes that encap or decap are acting as sources or sinks, not
> >> relays.
> >
> > I'm afraid firewalls are relays.
> 
> A firewall that filters on L3 is a router regardless of which side you
> look at.
> 
> A firewall that encaps/decapsulates is a host on the public side and a
> router on the private side. A firewall that inspects beyond L3 is a host
> as well, for similar reasons.
> 
> So the term "firewall" isn't the issue; it's the behavior that is.
> 
> >> Nodes such as NATs and firewalls act as end hosts on the public side and
> >> routers on the private side. Which is why they need to obey RFC1122
> >> semantics on the public side.
> >
> > So, you think firewalls should reassemble fragments. Wow!
> 
> And yet that is exactly the correct conclusion regarding most behaviors
> that firewalls perform that act like end hosts. Once you realize that
> inspecting L4 or encaps/decaps is acting like a host, the requirements
> become very clear - even if you don't like them.
> 
> So yes, a firewall that inspects L4 or encap/decaps either needs to
> reassemble fragments or act like that's what's happening (e.g., to
> retain a copy of the first fragment of a set to direct later fragments
> within that set).

Correct- Cisco calls that "Virtual Fragmentation Reassembly", i.e., gather
up all of the fragments in the set and then release them unassembled
once the firewall has determined that the packet is acceptable.

Thanks - Fred
fred.l.templin@boeing.com

> The model takes you to exactly the right conclusion.
> 
> Joe
>

v2.23.0 | Report a Bug | By Email