ietf
[Top] [All Lists]

RE: Is Fragmentation at IP layer even needed ?

2016-02-11 12:08:07
Hi Joe,

-----Original Message-----
From: ietf [mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of Joe Touch
Sent: Thursday, February 11, 2016 9:58 AM
To: Masataka Ohta; ietf(_at_)ietf(_dot_)org
Subject: Re: Is Fragmentation at IP layer even needed ?



On 2/11/2016 6:05 AM, Masataka Ohta wrote:
Joe Touch wrote:

I repeat: nodes that encap or decap are acting as sources or sinks, not
relays.

I'm afraid firewalls are relays.

A firewall that filters on L3 is a router regardless of which side you
look at.

A firewall that encaps/decapsulates is a host on the public side and a
router on the private side. A firewall that inspects beyond L3 is a host
as well, for similar reasons.

So the term "firewall" isn't the issue; it's the behavior that is.

Nodes such as NATs and firewalls act as end hosts on the public side and
routers on the private side. Which is why they need to obey RFC1122
semantics on the public side.

So, you think firewalls should reassemble fragments. Wow!

And yet that is exactly the correct conclusion regarding most behaviors
that firewalls perform that act like end hosts. Once you realize that
inspecting L4 or encaps/decaps is acting like a host, the requirements
become very clear - even if you don't like them.

So yes, a firewall that inspects L4 or encap/decaps either needs to
reassemble fragments or act like that's what's happening (e.g., to
retain a copy of the first fragment of a set to direct later fragments
within that set).

Correct- Cisco calls that "Virtual Fragmentation Reassembly", i.e., gather
up all of the fragments in the set and then release them unassembled
once the firewall has determined that the packet is acceptable.

Thanks - Fred
fred(_dot_)l(_dot_)templin(_at_)boeing(_dot_)com

The model takes you to exactly the right conclusion.

Joe