Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

Mikael Abrahamsson <swmike@swm.pp.se> Mon, 30 July 2018 05:29 UTC

Return-Path: <swmike@swm.pp.se>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA492130D7A for <int-area@ietfa.amsl.com>; Sun, 29 Jul 2018 22:29:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=swm.pp.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jT9KoUWUp8lB for <int-area@ietfa.amsl.com>; Sun, 29 Jul 2018 22:29:15 -0700 (PDT)
Received: from uplift.swm.pp.se (swm.pp.se [212.247.200.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E059F12F1A5 for <int-area@ietf.org>; Sun, 29 Jul 2018 22:29:14 -0700 (PDT)
Received: by uplift.swm.pp.se (Postfix, from userid 501) id ADEF7AF; Mon, 30 Jul 2018 07:29:11 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail; t=1532928551; bh=mIjw1WrOStarasxXkPUxaxZoQI81nWzz2I0MXTzDkt0=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=Y7NrO7CwFnNCKVNNThJoZ0uA/zPUbRP80Dj5vF2Pqey8kqm4UsdmU+/4XcGWCvNEo h7FZDuUyIIhh5T9f/XsWgfptmXg91HLRC/c5k1Nawde7DlglaDcgu2bnrAtsU96ru8 qWMH2BkIkEpRLpZIDVn8a3GOJw/YkAl1JRqCJK/I=
Received: from localhost (localhost [127.0.0.1]) by uplift.swm.pp.se (Postfix) with ESMTP id A85399F; Mon, 30 Jul 2018 07:29:11 +0200 (CEST)
Date: Mon, 30 Jul 2018 07:29:11 +0200 (CEST)
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Joe Touch <touch@strayalpha.com>
cc: "internet-area@ietf.org" <int-area@ietf.org>
In-Reply-To: <9168D506-E734-45E4-A9C2-09A64BCE179C@strayalpha.com>
Message-ID: <alpine.DEB.2.20.1807300726500.14354@uplift.swm.pp.se>
References: <F227637E-B12D-45AA-AD69-74C947409012@ericsson.com> <0466770D-C8CA-49BB-AC10-5805CFDFB165@strayalpha.com> <6EDF0F79-C8F3-4F05-8442-FF55576ADDD0@employees.org> <alpine.DEB.2.20.1807271530280.14354@uplift.swm.pp.se> <CALx6S35LthDLRry7k-pF8KSoX4BXBA8kyArOpDUAcJMDCoLQpQ@mail.gmail.com> <alpine.DEB.2.20.1807280811540.14354@uplift.swm.pp.se> <8640DCF6-A525-4CF7-A89D-2DEDBF0FADC8@strayalpha.com> <alpine.DEB.2.20.1807290822250.14354@uplift.swm.pp.se> <9168D506-E734-45E4-A9C2-09A64BCE179C@strayalpha.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
Organization: People's Front Against WWW
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="-137064504-892333691-1532928551=:14354"
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/GZt_FLi-B9ikwr8xxJENQU8BwmQ>
Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 05:29:18 -0000

On Sun, 29 Jul 2018, Joe Touch wrote:

> You’re engaging in a game of escalation - whatever layer you add 
> fragmentation will end up being a layer that a vendor puts a device that 
> does DPI that fails.

Yes, but I can filter those UDP packets by looking in the UDP header, 
that's all the DPI I need in that box. It doesn't need to understand the 
upper-protocol level fragmentation, because I do not require it to 
understand that protocol at all. I just need for it to understand that 
it's UDP and look at the UDP port number.

The biggest mistake of TCP and UDP combined with IP level fragmentation is 
that the port information isn't available in every packet.

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se