In message
<56BCF514(_dot_)6040401(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp>,
Masataka Ohta writes:
Joe Touch wrote:
So, you think firewalls should reassemble fragments. Wow!
And yet that is exactly the correct conclusion regarding most behaviors
that firewalls perform that act like end hosts. Once you realize that
inspecting L4 or encaps/decaps is acting like a host, the requirements
become very clear - even if you don't like them.
The reality is that you don't like the reality.
So yes, a firewall that inspects L4 or encap/decaps either needs to
reassemble fragments or act like that's what's happening (e.g., to
retain a copy of the first fragment of a set to direct later fragments
within that set).
Remember, with IPv6, the firewall can't fragment the reassembled
packets. So, no, unless the firewall output reassembled packets,
which may be larger than MTU of an outgoing link, it is not "act
like that's what's happening".
The key words were "act like that's what's happening". You can
hold fragments until you see the first fragment, check it, then
release all matching fragments. You can virtually reassemble all
the fragments then release them all if you need to see the entire
packet. There has never been a need to throw away all fragments.
Only poor purchasing decisions causing everyone else to have to
work around them.
The model takes you to exactly the right conclusion.
The wrong conclusion above means your model is broken.
Simplistic view is not applicable to complicated things.
Masataka Ohta
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org