Joe Touch wrote:
So, you think firewalls should reassemble fragments. Wow!
And yet that is exactly the correct conclusion regarding most behaviors
that firewalls perform that act like end hosts. Once you realize that
inspecting L4 or encaps/decaps is acting like a host, the requirements
become very clear - even if you don't like them.
The reality is that you don't like the reality.
So yes, a firewall that inspects L4 or encap/decaps either needs to
reassemble fragments or act like that's what's happening (e.g., to
retain a copy of the first fragment of a set to direct later fragments
within that set).
Remember, with IPv6, the firewall can't fragment the reassembled
packets. So, no, unless the firewall output reassembled packets,
which may be larger than MTU of an outgoing link, it is not "act
like that's what's happening".
The model takes you to exactly the right conclusion.
The wrong conclusion above means your model is broken.
Simplistic view is not applicable to complicated things.
Masataka Ohta