Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

Joe Touch <> Thu, 30 August 2018 00:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4E3FB130ED9; Wed, 29 Aug 2018 17:32:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WTNotU4ePt5N; Wed, 29 Aug 2018 17:32:46 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1465C130E1C; Wed, 29 Aug 2018 17:32:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Message-ID:References:In-Reply-To:Subject:Cc: To:From:Date:Content-Type:MIME-Version:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Lr6cgfrF6y0BZZPoxr8PHHe2PKjfjakIM/FsFO0o3/Q=; b=5LAhR5o2s5FEfLvBS+LGh31H9 KFbKFly6Yz12D50wfq3JankXAAdJ5cZY5SaHVkvccl++VuC7MDzHvfZrXwYIwJuFtL69x2AAR0qtX bHkanYBMKk7e9X2CGgBQcsXB5qBvvkjVD7YHwFxzl6WcZsbk6stESpuju7mcXFSZ3z6+OrHTSV0hb 7lgEG0nyb5wOYmKlgqVdlFBKY/PxPUwYrmmnhyhvJgXxqICIEIm6AwNeWXhkIbJ5WMYsfkBo1d7o+ QVw+FzB2eJCvKLfT0aXwZx7d+y0eTa0gX/+Ni33blITkNVlHy7c+edlnVLYpv2Pb6xFLal8I+rPKV nwXP3LTsQ==;
Received: from [::1] (port=36512 by with esmtpa (Exim 4.91) (envelope-from <>) id 1fvAt9-003xUp-OC; Wed, 29 Aug 2018 20:32:44 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_d900480c046025dce308235367b6e3ca"
Date: Wed, 29 Aug 2018 17:32:43 -0700
From: Joe Touch <>
To: Tom Herbert <>
Cc: Toerless Eckert <>, Christian Huitema <>, int-area <>,
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Message-ID: <>
User-Agent: Roundcube Webmail/1.3.3
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
X-From-Rewrite: unmodified, already matched
Archived-At: <>
Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Internet Area Mailing List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Aug 2018 00:32:49 -0000

On 2018-08-29 10:38, Tom Herbert wrote:

> I don't think you need the part about acting as a host, that would
> have other implications.

It does, and that's exactly why you do. In particular, this includes
ICMP processing. 

> Also, the reassembly requirement might be
> specific to NAT and not other middlebox functionality. For instance,
> it would be sufficient for a firewall that is dropping UDP packets to
> some port to only drop the first fragment that has UDP port numbers
> and let the other fragments pass. Without the first fragment
> reassembly at the destination will simply timeout and the whole packet
> is dropped.

And that's a great example of why not reassembling (or equivalent) isn't
the appropriate behavior. 

Yes, the packet will still not be delivered, but the receiver will end
up doing a lot of work that isn't necessary. I.e., the middlebox has
ignored work it was responsible for and caused work elsewhere.  

Further, acting as a host is always the right thing for any node that
sources packets with its own IP address -- that includes NATs and
regular proxies. The behavior of transparent proxies is more complex,
but can be similarly reasoned from the appropriate equivalence model. 

>> ...
>> I would argue that it is OK to give a middlebox the key if that's OK for a
>> given trust model, e.g., it would make sense inside an enterprise to offload
>> security to the ingress of that enterprise. But not elsewhere;
> Sure enterprises can do that. But I'm more worried about the five
> billion mobile devices that may connect to random WIFI or mobile
> networks over the course of a day. For them there is simply no concept
> that the network will provide any level of security.

Which is a great reason why it might actually be useful to shift the
security work to a "home entrance" device by placing the security there.
It's a matter of system configuration, but the point is that it isn't
the device that makes it incorrect; it is how it is configured and