Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

Joe Touch <> Sun, 26 August 2018 22:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0C43D130E03; Sun, 26 Aug 2018 15:50:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2K9qn0JYmPRp; Sun, 26 Aug 2018 15:50:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C5E66130DD5; Sun, 26 Aug 2018 15:50:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=U0kPZXUGi7jGy+i2e9mbGWwf7/ORx2cMz9Lw3XJ8W/s=; b=DUaP9gLb0mNIAJLJoB/39R/1p reEsIQyTNi0fjcUcPJbYpcJkQJoLMIfjUL0dWWhk/4DCvEqC5vfhQboMkdrlvSWjVvScF34Mo6HpW I2NOLsCEcGmW+surv/v8LjCx8v5h+bgo9c5pI5yEV0m6O+IFanlNIE/q+xD3IfuSRKUDvo6OnO1Af 4StP4vzTodq3GLYw7Lts3BIDXJMw27Bzkt/wBnZ5kBgJSyoc+LvRwTeFLj8VjywKfXuwoki44dvXs yNjKNuztXqbyIB6p8vOyyOgjvuAOpYK8ROd733GUSLn++1RJ2In4qLL1RVt9jo1aGTDwbLQ1zUWu4 vkDGvDGUw==;
Received: from ([]:60870 helo=[]) by with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <>) id 1fu3rQ-002d4n-83; Sun, 26 Aug 2018 18:50:21 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_F3995445-6B78-4EB2-BFA3-58F2FBCB72CC"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Joe Touch <>
In-Reply-To: <>
Date: Sun, 26 Aug 2018 15:50:18 -0700
Cc: Christian Huitema <>, Tom Herbert <>, int-area <>,
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <>
To: Toerless Eckert <>
X-Mailer: Apple Mail (2.3445.9.1)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
X-From-Rewrite: unmodified, already matched
Archived-At: <>
Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Internet Area Mailing List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 26 Aug 2018 22:50:24 -0000

> On Aug 26, 2018, at 2:55 PM, Toerless Eckert <> wrote:
> On Sun, Aug 26, 2018 at 11:38:57AM -0700, Joe Touch wrote:
>> NATs already have what they need to do the proper job - they need to reassemble and defragment using unique IDs (or cache the first fragment when it arrives and use it as context for later - or earlier cached - fragments). There???s no rule that IP packets that are fragmented MUST have a transport header both visible (not encrypted) and immediately following the IP header. 
> Reassmbly/refragment and MTU discovery puts NAT out of the realm of many
> cost effective HW acceleration methods. Simple address rewrite does not.

And crumple zones and airbags get in the way of cars running fast and being inexpensive.

I.e., you’re right - doing NATs properly is more expensive than lying that you have a functioning NAT that doesn’t.

>> Firewalls are just delusions; [1]
>> the context they think they???re enforcing has no meaning except at the endpoints; it never did. [2]
> I completely agree with [2], but my conclusion is not [1], but
> rathat its highly valuable and necessary.

Good. Continue to run them and tell your customers that they actually stop email when they block ports 23 and 110, etc.

The rest of us then will tunnel one port over another (VPN) and walk right through that device (like we all dll all the time in hotels).

> The ability of firewalls to open 5-tuple bidirectional pinholes because
> of trigger traffic from the inside is IMHO the most important feature
> to keep Internet hosts protected.

A firewall hsa to be close enough to the endpoint to act as its proxy; at that point, provided it does act as its proxy, then that sort of 5-tuple filtering works fine. You’re offloading work of the host elsewhere - but that firewall needs to act as a true host proxy, which includes reassembly, or it won’t work properly (nor can it ever).

> I wish host stacks would be built securely,
> but after a few decdaces i have given up on that for most hosts. Which is
> why its so irritating when host stack pundits continue telling network device
> stack builders what they should and should not do.

No argument there - but again, pushing the work of that host to another device MAKES THAT DEVICE A HOST.

Hosts receiving packets reassemble. Period. Or they won’t work. Period. And those that don’t, don’t work.

> Firewalls inspecting unencrypted higher layer message elements where a fairly
> well working security model based on having a separate security administration
> from the application administration.

No better, FWIW, than would be managed software inside the end system. There’s no strict rule these need to be separate devices, but - as per above - they work fine when they act as they actually need to.

> Now the applications promise to
> provide all the security themselves, but they primarily just prohibit visibility
> of what they do, so its a lot harder to figure out when they are insecure.
> Would you ever put all type of in-home "iot" gear thats not a Windows/MacOS
> system with a GUI you can control on the Internet without a firewall ?

Without firewall functions somewhere? No - I agree. But I also wouldn’t put that firewall inside the network where it couldn’t see the fragments to reassemble - because it will never work properly.

I.e., I agree that “it hurts when we do that”, but not that we have to do it the wrong way (even though it’s cheaper).