On 10/11/2013 04:48 AM, Ray Hunter wrote:
I think the draft does what it can in a pragmatic manner, but might
benefit from some acknowledgement that this security approach of
applying parsing at a single perimeter can never ever catch all variants
of transporting FOO over BAR.
FWIW, my idea of the I-D is that it says "look, if you don't put all
this info into the first fragment, it's extremely likely that your
packets will be dropped". That doesn't mean that a middle-box may want
to look further. But looking further might imply
reassemble-inspect-and-refragment... or even reassemble the TCP stream
(e.g. think about a SSL/TCP-based VPN...)
Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fgont(_at_)si6networks(_dot_)com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492