Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

Joe Touch <> Mon, 30 July 2018 13:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 111B41310C7 for <>; Mon, 30 Jul 2018 06:36:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 06flQ_azed9x for <>; Mon, 30 Jul 2018 06:36:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 32C4D1310C6 for <>; Mon, 30 Jul 2018 06:36:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=xpEB+FJ3xdpIM+C7Mql/IP6iEciu6m9RTZOXdTlM750=; b=gjXdp4dyZ54PLjvr+oowhE6JS o3wrYf2PeajyWlq0q3pQUNBwqr2B9+BDxcrWRCsIzXoTqM2YIIIJkGnAjngmrFFsQcCPyFOQIAMez +R+sXvTVTV4xJH9+zFkoFA5dzLI8EVM0iatPO1BZhlYPle+VWvrE4gL0BP0pbm5Jd6JfVKwd/UWi/ 9wLHqX/o9lTW9vZmxxVtXZNPYLziimwV/VVj2RKRluBfguV/uZmue7Znu2NWsRuV0kA6l0pPce7ab +KfF1CCwWmsbugaKEfLaBi5YS+eG0cEcAmp0PC4Ut4MzVKrzV6kXXKWmVUGFfoQrxyCU2K4BP+oaf KkP69ZTpQ==;
Received: from ([]:55549 helo=[]) by with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <>) id 1fk8LS-00203P-9q; Mon, 30 Jul 2018 09:36:20 -0400
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Joe Touch <>
In-Reply-To: <>
Date: Mon, 30 Jul 2018 06:36:16 -0700
Cc: "" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <>
To: Mikael Abrahamsson <>
X-Mailer: Apple Mail (2.3445.9.1)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
X-From-Rewrite: unmodified, already matched
Archived-At: <>
Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Internet Area Mailing List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 30 Jul 2018 13:36:23 -0000

> On Jul 29, 2018, at 10:29 PM, Mikael Abrahamsson <> wrote:
> On Sun, 29 Jul 2018, Joe Touch wrote:
>> You’re engaging in a game of escalation - whatever layer you add fragmentation will end up being a layer that a vendor puts a device that does DPI that fails.
> Yes, but I can filter those UDP packets by looking in the UDP header, that's all the DPI I need in that box. It doesn't need to understand the upper-protocol level fragmentation, because I do not require it to understand that protocol at all. I just need for it to understand that it's UDP and look at the UDP port number.

Right. You need just UDP ports right now for YOUR DPI.

Others need to look at the payload (the D in DPI).

> The biggest mistake of TCP and UDP combined with IP level fragmentation is that the port information isn't available in every packet.

The biggest mistake of protocol X with X-1 level fragmentation is that the entire headers of X aren’t available in every X-1 packet.

Replace X with your favorite protocol and you’ll see how and why this can’t continue to work. The packets would eventually burst with all the headers.