IETF Logo Mail Archive

Re: Is Fragmentation at IP layer even needed ?

Mark Andrews <marka@isc.org> Fri, 12 February 2016 03:30 UTC

Return-Path: <marka@isc.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 287501B3EE6 for <ietf@ietfa.amsl.com>; Thu, 11 Feb 2016 19:30:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tsjbn_6Rzx9n for <ietf@ietfa.amsl.com>; Thu, 11 Feb 2016 19:30:37 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A81D11B3EE4 for <ietf@ietf.org>; Thu, 11 Feb 2016 19:30:37 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 6C1CB349420; Fri, 12 Feb 2016 03:30:35 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 60CF316006C; Fri, 12 Feb 2016 03:30:35 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 5210D16006B; Fri, 12 Feb 2016 03:30:35 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ZFfT9dCIH7U3; Fri, 12 Feb 2016 03:30:35 +0000 (UTC)
Received: from rock.dv.isc.org (c110-21-49-25.carlnfd1.nsw.optusnet.com.au [110.21.49.25]) by zmx1.isc.org (Postfix) with ESMTPSA id 0A31316004B; Fri, 12 Feb 2016 03:30:35 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 39F25420758B; Fri, 12 Feb 2016 14:30:31 +1100 (EST)
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
From: Mark Andrews <marka@isc.org>
References: <CAOJ6w=EvzE3dM4Y2mFFR=9YyPBdmFu_jkF4-42LjkdbRd3yz_w@mail.gmail.com> <BLUPR05MB1985F5F2BB3118362C67B921AED50@BLUPR05MB1985.namprd05.prod.outlook.com> <20160208200943.A615941B5B96@rock.dv.isc.org> <CAMm+LwgLoYpQ1TNOTOuJzh+cu+GyRBf9=y_K7K35boQ9WcZKjA@mail.gmail.com> <56B92A96.9050200@si6networks.com> <CAMm+LwifTXvVd1mPZOfcOOR03Fnj-82H9aDVS01=wGezePtnXw@mail.gmail.com> <56BA4BC7.1010002@isi.edu> <CAMm+Lwi-n=be4AWGibs+Zq9egYw5pSDmPGb-4P0LDEcX1E6osA@mail.gmail.com> <56BA68CE.7090304@isi.edu> <CAMm+LwiM2sFUeejgJZe650UQbVHrh7EHrEF2omvPrZJPodgJLA@mail.gmail.com> <56BA739D.7060309@isi.edu> <CAMm+Lwij1dOkK0b2ZnJiPMtba=wc823WgYjqw0iwAApa3KBYcg@mail.gmail.com> <56BA95C7.8060109@isi.edu> <56BAD6CC.2030209@necom830.hpcl.titech.ac.jp> <56BBAAF7.6020903@isi.edu> <56BC9516.6050305@necom830.hpcl.titech.ac.jp> <56BCCBB4.4050909@isi.edu> <56BCF514.6040401@necom830.hpcl.titech.ac.jp>
Subject: Re: Is Fragmentation at IP layer even needed ?
In-reply-to: Your message of "Fri, 12 Feb 2016 05:54:44 +0900." <56BCF514.6040401@necom830.hpcl.titech.ac.jp>
Date: Fri, 12 Feb 2016 14:30:31 +1100
Message-Id: <20160212033031.39F25420758B@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/wD8GuIeglErp7MJiils22dh_8e0>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2016 03:30:39 -0000

In message <56BCF514.6040401@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Joe Touch wrote:
> 
> >> So, you think firewalls should reassemble fragments. Wow!
> > 
> > And yet that is exactly the correct conclusion regarding most behaviors
> > that firewalls perform that act like end hosts. Once you realize that
> > inspecting L4 or encaps/decaps is acting like a host, the requirements
> > become very clear - even if you don't like them.
> 
> The reality is that you don't like the reality.
> 
> > So yes, a firewall that inspects L4 or encap/decaps either needs to
> > reassemble fragments or act like that's what's happening (e.g., to
> > retain a copy of the first fragment of a set to direct later fragments
> > within that set).
> 
> Remember, with IPv6, the firewall can't fragment the reassembled
> packets. So, no, unless the firewall output reassembled packets,
> which may be larger than MTU of an outgoing link, it is not "act
> like that's what's happening".

The key words were "act like that's what's happening".  You can
hold fragments until you see the first fragment, check it, then
release all matching fragments.  You can virtually reassemble all
the fragments then release them all if you need to see the entire
packet.  There has never been a need to throw away all fragments.
Only poor purchasing decisions causing everyone else to have to
work around them.

> > The model takes you to exactly the right conclusion.
> 
> The wrong conclusion above means your model is broken.
> 
> Simplistic view is not applicable to complicated things.
> 
> 							Masataka Ohta
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email