Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

Joe Touch <> Wed, 29 August 2018 17:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C7C09130EED; Wed, 29 Aug 2018 10:10:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id t7pFgAgIRfcz; Wed, 29 Aug 2018 10:10:27 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D6AE5130EB8; Wed, 29 Aug 2018 10:10:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Message-ID:References:In-Reply-To:Subject:Cc: To:From:Date:Content-Type:MIME-Version:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=3/yG0XMGruyrIbPW2ajpBTaEpiZ1UI0n/jLM7QpXteI=; b=fc+7e8YaxJSffhrUzTOXFIaRH Ku9fiDR+jtHXv2m0Tq/CJqWsfjczevGbf5qWN0eEuKndBrkRHazXIdQkb46TQy/ZOrJh1R2CutXbg uRM5lWZ9i/Fd0arXeqPLsY8YO9fl58evZ+LT8IRrXfSbq81ubnORJw8QW84FM0TQ4TxUqf78MlV5A osXsX7yt+x2Uhmu+2B6q3vrwIewzYL1fcKQwlJaldxnpawT9OZUX2hTqy2N29UmdhdN5CNLsFur8t kCkRM90Tk2U8YK40wtg2j1Y1dbYYat0siVZ48YWOvASoPjdO/MS8HvOTdSUHun1Cs8gd8scrRyDpR awuTV24qQ==;
Received: from [::1] (port=42086 by with esmtpa (Exim 4.91) (envelope-from <>) id 1fv3z6-003r6o-P7; Wed, 29 Aug 2018 13:10:26 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_26d76826134d758d82331f0880926046"
Date: Wed, 29 Aug 2018 10:10:24 -0700
From: Joe Touch <>
To: tom <>
Cc: Toerless Eckert <>, Christian Huitema <>, int-area <>,
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
Message-ID: <>
User-Agent: Roundcube Webmail/1.3.3
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
X-From-Rewrite: unmodified, already matched
Archived-At: <>
Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Internet Area Mailing List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 29 Aug 2018 17:10:44 -0000


On 2018-08-29 09:53, tom wrote:

> On Wed, Aug 29, 2018 at 8:11 AM, Joe Touch <> wrote: 
>> On 2018-08-28 17:24, Toerless Eckert wrote:
>> ...Sure, i meant to imply that port-numbers are useful pragmatically,
>> but other context identifiers would long term be better.
>> Demux-Identifiers at the granualarity of a subscriber or
>> application wold be a lot more scalable than flow identifiers.
>> There are many problems with this issue.
>> First, the reason that port numbers would be needed is that they are
>> *currently* how NATs demux, firewalls enforce policy, and routers manage
> There is no requirement in IP that all packets have a transport layer
> header that with port numbers. ...

Yes, we agree. It's not the only way they SHOULD or COULD work, but it
is how they DO work. 

>> Ultimately, we have to admit that a device that acts on behalf of a host IS
>> a host and costs what a host costs.
> That in turn breaks the the end-to-end model.

Acting like what you are doesn't break anything; it lets you act to the
fullest extent possible. 

Relaying info through hosts inside a network path is what breaks the E2E
model - agreed. 

All I am saying is that: 
- IF you deploy a middle box, THEN it MUST act as a host and reassemble
(or do the equivalent) 

I wasn't endorsing the IF. 

> Middleboxes that attempt
> to participate transport protocols, like a host, inevitably break
> things and hence is another source of ossification. This is readily
> evident apparent in that they can't participate in end-to-end crypto.

They can* participate in crypto, but then the definition of E2E ends
where it should - at the middlebox. 

* = only if they somehow are given the key, of course 

> Of course they have tried to insert themselves into that realm, but
> then we get abominations such as the forced MITM attacks of SSL
> inspection. IMO, real end-to-end security is a core requirement that
> outweighs any tradeoffs we might make for the security benefits of
> firewalls.

I would argue that it is OK to give a middlebox the key if that's OK for
a given trust model, e.g., it would make sense inside an enterprise to
offload security to the ingress of that enterprise. But not elsewhere; 

>> We can't keep believing there is magic dust that can establish a solution
>> otherwise.
> As they say, the answer to ossification is encryption.

It's not an answer; it renders the question irrelevant, as it should. 

Not all questions necessarily have answers. As Rocket will tell you
(ref: end scenes, Guardians of the Galaxy), wanting something does not
make it so.