Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

Toerless Eckert <> Mon, 27 August 2018 05:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 851EB130E6D; Sun, 26 Aug 2018 22:22:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ds6452LSorwT; Sun, 26 Aug 2018 22:22:02 -0700 (PDT)
Received: from ( [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0AE6B130DE0; Sun, 26 Aug 2018 22:22:01 -0700 (PDT)
Received: from ( [IPv6:2001:638:a000:4134::ffff:52]) by (Postfix) with ESMTP id 058C854832B; Mon, 27 Aug 2018 07:21:58 +0200 (CEST)
Received: by (Postfix, from userid 10463) id EB0C1440054; Mon, 27 Aug 2018 07:21:57 +0200 (CEST)
Date: Mon, 27 Aug 2018 07:21:57 +0200
From: Toerless Eckert <>
To: Tom Herbert <>
Cc: Joe Touch <>, Christian Huitema <>, int-area <>,
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <>
Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Internet Area Mailing List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 27 Aug 2018 05:22:05 -0000

On Sun, Aug 26, 2018 at 08:19:41PM -0700, Tom Herbert wrote:
> Toerless,
> I'm not sure what "outsourced into a common network component" means.
> I've done a lot of app and OS development and have NEVER once
> "outsourced" security to the network.

And i worked in a company where for a good while, SOCKS was a key part
of the security concept. What do two random people experience data points
help here ? ;-)

> OSes and apps need to work
> across all networks, in any possible environment, so having one
> network provide a strict firewall, and in the next one no firewall
> doesn't help really help things. Least common denominator for security
> is no firewall, and that's what we assume in host development.

The main question is what architecture we want for firewalls. IMHO i
primarily need one where the firewall operator can be someone else
from whoever operates any type of potentially crappy endpoint
or endpoint app. If there are perfect security endpoint/e dpoint apps, thats
fine, but they are not the problem anyhow.

Assuming host development to be security wise good enough to connect
to the internet without an external firewall is quite risky for most
hosts that are not running the latest Windows/MacOS with good firewall

> Or perhaps they don't want to make it work since there is no standard
> protocol for hosts to communicate characteristics of traffic with the
> network. I think
> could be that.

subscriber and app-id are probably more important.