Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

[Joe Touch <touch@strayalpha.com>]

> On Aug 26, 2018, at 2:55 PM, Toerless Eckert <tte@cs.fau.de> wrote:
> 
> On Sun, Aug 26, 2018 at 11:38:57AM -0700, Joe Touch wrote:
>> NATs already have what they need to do the proper job - they need to reassemble and defragment using unique IDs (or cache the first fragment when it arrives and use it as context for later - or earlier cached - fragments). There???s no rule that IP packets that are fragmented MUST have a transport header both visible (not encrypted) and immediately following the IP header. 
> 
> Reassmbly/refragment and MTU discovery puts NAT out of the realm of many
> cost effective HW acceleration methods. Simple address rewrite does not.

And crumple zones and airbags get in the way of cars running fast and being inexpensive.

I.e., you’re right - doing NATs properly is more expensive than lying that you have a functioning NAT that doesn’t.

>> Firewalls are just delusions; [1]
>> the context they think they???re enforcing has no meaning except at the endpoints; it never did. [2]
> 
> I completely agree with [2], but my conclusion is not [1], but
> rathat its highly valuable and necessary.

Good. Continue to run them and tell your customers that they actually stop email when they block ports 23 and 110, etc.

The rest of us then will tunnel one port over another (VPN) and walk right through that device (like we all dll all the time in hotels).

> The ability of firewalls to open 5-tuple bidirectional pinholes because
> of trigger traffic from the inside is IMHO the most important feature
> to keep Internet hosts protected.

A firewall hsa to be close enough to the endpoint to act as its proxy; at that point, provided it does act as its proxy, then that sort of 5-tuple filtering works fine. You’re offloading work of the host elsewhere - but that firewall needs to act as a true host proxy, which includes reassembly, or it won’t work properly (nor can it ever).

> I wish host stacks would be built securely,
> but after a few decdaces i have given up on that for most hosts. Which is
> why its so irritating when host stack pundits continue telling network device
> stack builders what they should and should not do.

No argument there - but again, pushing the work of that host to another device MAKES THAT DEVICE A HOST.

Hosts receiving packets reassemble. Period. Or they won’t work. Period. And those that don’t, don’t work.

> Firewalls inspecting unencrypted higher layer message elements where a fairly
> well working security model based on having a separate security administration
> from the application administration.

No better, FWIW, than would be managed software inside the end system. There’s no strict rule these need to be separate devices, but - as per above - they work fine when they act as they actually need to.

> Now the applications promise to
> provide all the security themselves, but they primarily just prohibit visibility
> of what they do, so its a lot harder to figure out when they are insecure.
> 
> Would you ever put all type of in-home "iot" gear thats not a Windows/MacOS
> system with a GUI you can control on the Internet without a firewall ?

Without firewall functions somewhere? No - I agree. But I also wouldn’t put that firewall inside the network where it couldn’t see the fragments to reassemble - because it will never work properly.

I.e., I agree that “it hurts when we do that”, but not that we have to do it the wrong way (even though it’s cheaper).

Joe