On Thu, Feb 11, 2016 at 12:58 PM, Joe Touch <touch(_at_)isi(_dot_)edu> wrote:
On 2/11/2016 6:05 AM, Masataka Ohta wrote:
Joe Touch wrote:
I repeat: nodes that encap or decap are acting as sources or sinks, not
relays.
I'm afraid firewalls are relays.
A firewall that filters on L3 is a router regardless of which side you
look at.
Using 'layers' to describe Internet architecture can be very
misleading because the Internet isn't layered according to the ISO
model and the layers don't necessarily stack up the way people expect
once tunneling is involved.
For example, if I have an SSH channel to a system (or a TLS firewall),
I have a transport layer protocol that is presenting a packet layer
interface.
So if we number the layers, we have 1, 2, 3, 4, 5, 3 [4, 5, 7].
One of the things I learned early on programming Microsoft BASIC was
to not use sequential line numbers. And I was really glad to get rid
of line numbers when I moved to machines with decent amounts of RAM.
Seems to me that the numbered layer model confuses rather than
clarifies and especially so when tunneling is being discussed.
A tunnel should be a tunnel. If you fragment at the tunnel ingress,
you should defragment at the egress. Otherwise you are simply pushing
your state maintenance requirements onto the receiving endpoint in a
way that isn't scaleable.