Mark Andrews wrote:
Remember, with IPv6, the firewall can't fragment the reassembled
packets. So, no, unless the firewall output reassembled packets,
which may be larger than MTU of an outgoing link, it is not "act
like that's what's happening".
The key words were "act like that's what's happening". You can
hold fragments until you see the first fragment, check it, then
release all matching fragments.
Thus, a set of packets are investigated and there is no
reassembly happening.
It is merely that some firewalls sometimes change filtering
behavior by investigating a set of packets (like snooping
ftp command stream to open data port, which no one call virtual
TCP streaming), regardless of whether the packets are fragments
of a packet or not.
You can virtually reassemble all
the fragments then release them all if you need to see the entire
packet. There has never been a need to throw away all fragments.
Ok, ok. Though something you call "virtual reassembly" is not
reassembly at all, its processing cost is equivalent to real
reassembly. That is, you are saying fragmentation and reassembly
are so easy that there is no need to avoid them.
So, let's revise IPv6 and use fragmentation everywhere. There has
never been a need for impossible PMTUD.
Only poor purchasing decisions causing everyone else to have to
work around them.
It is caused primarily by stupid design of IPv6.
Masataka Ohta