Re: New Version Notification for draft-bonica-6man-frag-deprecate-00.txt

[Mark Andrews <marka@isc.org>]

In message <014201ce7208$1378c5f0$3a6a51d0$@tndh.net>, "Tony Hain" writes:
> Mark Andrews wrote:
> > One needs to get the L4 information the firewall/loadbalancer uses in
> *each*
> > fragment.
> 
> This is a manufactured requirement to allow devices that can't do a full
> reassembly to operate in under a policy of 'verify the entire packet'.
> Unfortunately, it doesn't even do that since it doesn't actually detect
> overlapping fragments if it is just verifying that the L4 information is the
> same. 

Many firewalls are just trying to ensure packets match the <protocol,
src address, src port, dest address, dest port> tuple.  They are
not trying to protect from overlapping fragements.

That said being able to filter out / forward without reassembly
fragments that you are not interested in also reduces the number
of fragments that need to be processed in the reassembly queues of
the firewall itself when you are doing dpi of some of the packets.

> Load balancers just need to get over it, and use something more/other than
> the L4 in the hash. The FL was intended to provide a consistent value over
> the life of an L4 session, so why not use that instead of developing yet
> another new option? Wait,,, that doesn't exist in IPv4, so it can't be used
> because that would require learning something different...

Flow labels aren't a solution for all problems.  Yes, load balancers should
make use of them.

> > For UDP this is the source and destination ports.  Create a new skipable
> hop-
> > by-hop option that contains a copy of these values and add it along with a
> > fragment header when fragmenting UDP packets.
> 
> I have no problem with that concept, but why when there are other ways of
> accomplishing the task? Simply to mirror IPv4 is not a valid reason...

It isn't just mirror IPv4.
 
> > For TCP ensure that the IP layer informs the TCP layer if it would have to
> > fragment the packet. i.e. don't send fragmented TCP packets.
> 
> So TCP is never allowed to have a long-lived session ...

No.  It's send the equivalent of PTB back to the TCP layer and have
it re-segment rather than fragment a badly sized segment it passed
to the IP layer.  You have a broken stack if you see a TCP fragment.

> Or routes are not
> allowed to flap. Which is it? You either tear down tcp and renegotiate mss
> every time routes flap to a path with a lower mtu, or you send fragments. It
> is easy to say the core is >=1500 now, but what happens with a mix of
> 1500/4k/9k/32k/... over the life of IPv6? Are routes never allowed to flap
> with larger MTUs? Do you require every TCP implementation to do dynamic MSS,
> and try to get that deployed within a decade to two?
> 
> > 
> > For ICMPv6 ???
> > 
> > For IPv4 if DF=0 fragment the Ipv4 packet to fit in inside 1280 IPv6
> packets
> > destination reassembles.
> > For IPv4 if DF=1 return IPv4 PTB
> > 
> > For XXX ????
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org