Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

Joe Touch <> Sun, 29 July 2018 16:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BD9EF130E8E; Sun, 29 Jul 2018 09:22:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9aewN7LOsR8G; Sun, 29 Jul 2018 09:22:07 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9D2B9130E17; Sun, 29 Jul 2018 09:22:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=OXedvQyRyvuDlfWytcjffN8kuiiA8lLsVYRvsJStMM4=; b=NyL/hndmNuXhNRu6UG+w74elf InP/1hlNN1RP3FjmDH9XTS4oqIZZX8l/R2VzTgyMtjW0LKSUhLYYhNMndqCmq2KfOzT5eu0znGoU2 EDcaS0TdiLX1/YmSFLfBFOYdnydCSAUSiljFwWOr+sAslkMImWsm81fa5GbR4gdfthsM+zvcHRPkL bF2Ux05vLdNYnTO4vssvRWhG2BWvwGfw0yvgr/rtFCsRtfw1a+lZAsPwZeUclDw/ZyBZAv2qzrKk8 Pxo/inN+Xij9mMwM/oGcaAmknR44VI0Yl9x18Fuwa50L/GUjfRACX/pw2HgzbvKeKdv11uGi3rNmT EPVU3ohlA==;
Received: from ([]:54853 helo=[]) by with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <>) id 1fjoSJ-002FVq-7U; Sun, 29 Jul 2018 12:22:06 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_5F6BA821-29BC-4F23-8A8E-FC6E828CCDE0"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Joe Touch <>
In-Reply-To: <>
Date: Sun, 29 Jul 2018 09:22:01 -0700
Cc: Ole Troan <>, "" <>, "" <>
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <>
To: Tom Herbert <>
X-Mailer: Apple Mail (2.3445.9.1)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
X-From-Rewrite: unmodified, already matched
Archived-At: <>
Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Internet Area Mailing List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 29 Jul 2018 16:22:10 -0000

> On Jul 29, 2018, at 9:11 AM, Tom Herbert <> wrote:
>> ...
>> That said, there’s no real problem with a NAT *IF* it acts as a host on the
>> Internet
>> (see ouch, J: Middlebox Models Compatible with the Internet. USC/ISI
>> (ISI-TR-711), 2016.)
> Joe,
> It's still a problem though. A NAT (or any stateful device in the
> network) forces the requirement in network architecture that all
> packets of a flow are routed through the same device.

I didn’t make that requirement. The Internet does - it’s what it *means* to have an IP address.

A NAT *has* the address of the packets it sources; if it isn’t the sink of that address, then it’s being used incorrectly. If it doesn’t reassemble those packets before translating them (i.e., by translating only unfragmented packets and dropping fragmented ones), then it is broken and ought to be returned for a refund.

> This has killed
> our ability to use multi-homing and multi-path.

No, the Internet supports multi path between two IP endpoints and allows multihoming for a single address when managed by a single endpoint (physical or virtual).

The disconnect is a failure to understand that a NAT *is* an IP endpoint. The term “middlebox” is wrong in that sense, at least it’s not a middle box to the Internet (it is to the device behind the NAT).

> The best way for an
> intermediate devices to deal with transport layer state is to be an L4
> proxy. The intermediate is a host endpoint for the proxy connections,
> but then that has its own problems since it breaks E2E functionality
> (like TCP auth). So the only real solution is to eliminate transport
> state from the network.

That would work only if the network didn’t look at or modify transport information - and it did work when that was the case.

> I'm still holding out hope that IPv6 will
> start to obsolete use of NAT! FAST (draft-herbert-fast-02) is intended
> to provide a viable alternative to stateful firewalls.

Getting rid of NATs is only part of the problem. Anything that does DPI is a problem when it discards messages it can’t parse because they’re fragmented.