Re: Is Fragmentation at IP layer even needed ?
Mark Andrews <marka@isc.org> Fri, 12 February 2016 03:30 UTC
Return-Path: <marka@isc.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 287501B3EE6 for <ietf@ietfa.amsl.com>; Thu, 11 Feb 2016 19:30:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tsjbn_6Rzx9n for <ietf@ietfa.amsl.com>; Thu, 11 Feb 2016 19:30:37 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A81D11B3EE4 for <ietf@ietf.org>; Thu, 11 Feb 2016 19:30:37 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 6C1CB349420; Fri, 12 Feb 2016 03:30:35 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 60CF316006C; Fri, 12 Feb 2016 03:30:35 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 5210D16006B; Fri, 12 Feb 2016 03:30:35 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ZFfT9dCIH7U3; Fri, 12 Feb 2016 03:30:35 +0000 (UTC)
Received: from rock.dv.isc.org (c110-21-49-25.carlnfd1.nsw.optusnet.com.au [110.21.49.25]) by zmx1.isc.org (Postfix) with ESMTPSA id 0A31316004B; Fri, 12 Feb 2016 03:30:35 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 39F25420758B; Fri, 12 Feb 2016 14:30:31 +1100 (EST)
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
From: Mark Andrews <marka@isc.org>
References: <CAOJ6w=EvzE3dM4Y2mFFR=9YyPBdmFu_jkF4-42LjkdbRd3yz_w@mail.gmail.com> <BLUPR05MB1985F5F2BB3118362C67B921AED50@BLUPR05MB1985.namprd05.prod.outlook.com> <20160208200943.A615941B5B96@rock.dv.isc.org> <CAMm+LwgLoYpQ1TNOTOuJzh+cu+GyRBf9=y_K7K35boQ9WcZKjA@mail.gmail.com> <56B92A96.9050200@si6networks.com> <CAMm+LwifTXvVd1mPZOfcOOR03Fnj-82H9aDVS01=wGezePtnXw@mail.gmail.com> <56BA4BC7.1010002@isi.edu> <CAMm+Lwi-n=be4AWGibs+Zq9egYw5pSDmPGb-4P0LDEcX1E6osA@mail.gmail.com> <56BA68CE.7090304@isi.edu> <CAMm+LwiM2sFUeejgJZe650UQbVHrh7EHrEF2omvPrZJPodgJLA@mail.gmail.com> <56BA739D.7060309@isi.edu> <CAMm+Lwij1dOkK0b2ZnJiPMtba=wc823WgYjqw0iwAApa3KBYcg@mail.gmail.com> <56BA95C7.8060109@isi.edu> <56BAD6CC.2030209@necom830.hpcl.titech.ac.jp> <56BBAAF7.6020903@isi.edu> <56BC9516.6050305@necom830.hpcl.titech.ac.jp> <56BCCBB4.4050909@isi.edu> <56BCF514.6040401@necom830.hpcl.titech.ac.jp>
Subject: Re: Is Fragmentation at IP layer even needed ?
In-reply-to: Your message of "Fri, 12 Feb 2016 05:54:44 +0900." <56BCF514.6040401@necom830.hpcl.titech.ac.jp>
Date: Fri, 12 Feb 2016 14:30:31 +1100
Message-Id: <20160212033031.39F25420758B@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/wD8GuIeglErp7MJiils22dh_8e0>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2016 03:30:39 -0000
In message <56BCF514.6040401@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes: > Joe Touch wrote: > > >> So, you think firewalls should reassemble fragments. Wow! > > > > And yet that is exactly the correct conclusion regarding most behaviors > > that firewalls perform that act like end hosts. Once you realize that > > inspecting L4 or encaps/decaps is acting like a host, the requirements > > become very clear - even if you don't like them. > > The reality is that you don't like the reality. > > > So yes, a firewall that inspects L4 or encap/decaps either needs to > > reassemble fragments or act like that's what's happening (e.g., to > > retain a copy of the first fragment of a set to direct later fragments > > within that set). > > Remember, with IPv6, the firewall can't fragment the reassembled > packets. So, no, unless the firewall output reassembled packets, > which may be larger than MTU of an outgoing link, it is not "act > like that's what's happening". The key words were "act like that's what's happening". You can hold fragments until you see the first fragment, check it, then release all matching fragments. You can virtually reassemble all the fragments then release them all if you need to see the entire packet. There has never been a need to throw away all fragments. Only poor purchasing decisions causing everyone else to have to work around them. > > The model takes you to exactly the right conclusion. > > The wrong conclusion above means your model is broken. > > Simplistic view is not applicable to complicated things. > > Masataka Ohta > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: Is Fragmentation at IP layer even needed ? John Levine
- Re: Is Fragmentation at IP layer even needed ? Yoav Nir
- Re: Is Fragmentation at IP layer even needed ? Alexey Eromenko
- Re: Is Fragmentation at IP layer even needed ? Yoav Nir
- Is Fragmentation at IP layer even needed ? Alexey Eromenko
- RE: Is Fragmentation at IP layer even needed ? Templin, Fred L
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Alexey Eromenko
- Re: Is Fragmentation at IP layer even needed ? David Borman
- RE: Is Fragmentation at IP layer even needed ? Ronald Bonica
- Re: Is Fragmentation at IP layer even needed ? Warren Kumari
- Re: Is Fragmentation at IP layer even needed ? David Borman
- Re: Is Fragmentation at IP layer even needed ? Mark Andrews
- Re: Is Fragmentation at IP layer even needed ? Mark Andrews
- Re: Is Fragmentation at IP layer even needed ? Phillip Hallam-Baker
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Phillip Hallam-Baker
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- RE: Is Fragmentation at IP layer even needed ? Ronald Bonica
- Re: Is Fragmentation at IP layer even needed ? Phillip Hallam-Baker
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Carsten Bormann
- Re: Is Fragmentation at IP layer even needed ? Joel M. Halpern
- Re: Is Fragmentation at IP layer even needed ? Theodore V Faber
- Re: Is Fragmentation at IP layer even needed ? Phillip Hallam-Baker
- Re: Is Fragmentation at IP layer even needed ? Ted Hardie
- Re: Is Fragmentation at IP layer even needed ? Fernando Gont
- Re: Is Fragmentation at IP layer even needed ? Fernando Gont
- Re: Is Fragmentation at IP layer even needed ? Fernando Gont
- Re: Is Fragmentation at IP layer even needed ? Fernando Gont
- Re: Is Fragmentation at IP layer even needed ? Warren Kumari
- Re: Is Fragmentation at IP layer even needed ? Phillip Hallam-Baker
- Re: Is Fragmentation at IP layer even needed ? Fernando Gont
- Re: Is Fragmentation at IP layer even needed ? Phillip Hallam-Baker
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Yoav Nir
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Phillip Hallam-Baker
- Re: Is Fragmentation at IP layer even needed ? Harald Alvestrand
- Re: Is Fragmentation at IP layer even needed ? Tony Finch
- Re: Is Fragmentation at IP layer even needed ? Phillip Hallam-Baker
- Re: Is Fragmentation at IP layer even needed ? Warren Kumari
- Re: Is Fragmentation at IP layer even needed ? Harald Alvestrand
- Re: Is Fragmentation at IP layer even needed ? Phillip Hallam-Baker
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Doug Royer
- Re: Is Fragmentation at IP layer even needed ? Phillip Hallam-Baker
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Phillip Hallam-Baker
- Not EUI-64 [was Re: Is Fragmentation at IP layer … Brian E Carpenter
- Re: Is Fragmentation at IP layer even needed ? Fernando Gont
- Re: Is Fragmentation at IP layer even needed ? Fernando Gont
- Re: Is Fragmentation at IP layer even needed ? Fernando Gont
- Re: Is Fragmentation at IP layer even needed ? Fernando Gont
- Re: Is Fragmentation at IP layer even needed ? joel jaeggli
- Re: Is Fragmentation at IP layer even needed ? Phillip Hallam-Baker
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Fernando Gont
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Fernando Gont
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Fernando Gont
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- RE: Is Fragmentation at IP layer even needed ? Templin, Fred L
- Re: Is Fragmentation at IP layer even needed ? Alexey Eromenko
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- RE: Is Fragmentation at IP layer even needed ? Templin, Fred L
- Re: Is Fragmentation at IP layer even needed ? Phillip Hallam-Baker
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Mark Andrews
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Mark Andrews
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Warren Kumari
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Joe Touch
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Brian E Carpenter
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Masataka Ohta
- Re: Is Fragmentation at IP layer even needed ? Mark Andrews