Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

"Templin (US), Fred L" <> Fri, 31 August 2018 16:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 36B7B130E51; Fri, 31 Aug 2018 09:12:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3tTvsFG80VWk; Fri, 31 Aug 2018 09:12:42 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 435BD130E20; Fri, 31 Aug 2018 09:12:42 -0700 (PDT)
Received: from localhost (localhost []) by (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id w7VGCflY007203; Fri, 31 Aug 2018 09:12:41 -0700
Received: from ( []) by (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id w7VGCdQI006824 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Fri, 31 Aug 2018 09:12:39 -0700
Received: from (2002:8988:eede::8988:eede) by (2002:8988:efdc::8988:efdc) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 31 Aug 2018 09:12:38 -0700
Received: from ([]) by ([]) with mapi id 15.00.1367.000; Fri, 31 Aug 2018 09:12:38 -0700
From: "Templin (US), Fred L" <>
To: Joe Touch <>, Tom Herbert <>
CC: int-area <>, Toerless Eckert <>, "" <>
Thread-Topic: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
Thread-Index: AQHUQUNTdkxN0DHlqk+wgRWsO7c3L6TaBoYw
Date: Fri, 31 Aug 2018 16:12:38 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
x-tm-snts-smtp: 12E83EB1BBA2B78953F385338C4DFFE1AC99A0940FCB523B92C24B04C8BB4C6B2000:8
Content-Type: multipart/alternative; boundary="_000_283a2682b98442a085f27781c85a8476XCH150608nwnosboeingcom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Internet Area Mailing List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 31 Aug 2018 16:12:44 -0000

>> Any middlebox that uses state not available in all fragments MUST reassemble or keep equivalent storage/state to process fragments appropriately.

This statement is true without question, so the only question is what applications
would produce IP fragments that need to be forwarded by a middlebox. We have
already seen that ‘iperf3’ produces IP fragments by default on some systems. And,
intarea-tunnels makes the case for tunnels.

I will also make the case for NAT66. With RFC4193 ULAs, NAT66 will be inevitable,
but a middlebox may be able to translate based only on the IPv6 addresses and
not transport-layer port numbers. Such a middlebox could forward fragments
without having to reassemble or otherwise hold them until all fragments have

Thanks - Fred

From: Int-area [] On Behalf Of Joe Touch
Sent: Friday, August 31, 2018 8:57 AM
To: Tom Herbert <>
Cc: int-area <>rg>; Toerless Eckert <>de>;
Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

On Aug 31, 2018, at 8:44 AM, Tom Herbert <<>> wrote:


There is an alternative: don't use NAT!

Agreed - that should also be part of the observations of this doc.

Yes, something needs to be done, but I argue that *until we have a worked
alternative*, we need to keep restating the fact - NATs/firewalls MUST
reassemble to work properly; where they don’t, the error is on them - not
the rest of the Internet for using fragments.

Reassembly could only be a MUST for NAT, not firewalls.

“or its equivalent"

NAT might be
required because of the identifier space issue, however we already
shown how a firewall can achieve proper functionality without
reassembly and to be stateless by forwarding fragments and potentially
dropping the first one that contains port information being filtered.

First, firewalls that port-filter need to do the same thing as a NAT in terms of keeping state.

The fact that this might forward fragments that are never reassembled
is at best an optimization with unproven benefit.

ATM proved otherwise in numerous published studies in the late 1980s. Those fragments compete for bandwidth further along the path; anytime they “win”, that decision is not work-conserving.

Note that keeping some state is already needed (if port-filtering) and that - as you note - the state filtering need not be “perfect”. However, it really ought to be SHOULD at least.

There is another case where in-network reassembly could be required
which is load balancing to a virtual IP address.

Any middlebox that uses state not available in all fragments MUST reassemble or keep equivalent storage/state to process fragments appropriately.

Like NAT though, in the long run I believe IPv6 offers a better
solution that would eliminate the need for VIPs.

That’s true right up until we end up in a world where (mostly) nobody correctly uses flow IDs. Oh, wait - we’re already there…