On 2/11/2016 12:54 PM, Masataka Ohta wrote:
Joe Touch wrote:
...
So yes, a firewall that inspects L4 or encap/decaps either needs to
reassemble fragments or act like that's what's happening (e.g., to
retain a copy of the first fragment of a set to direct later fragments
within that set).
Remember, with IPv6, the firewall can't fragment the reassembled
packets.
Routers shouldn't reassemble, but then routers aren't supposed to look
beyond L3. You cannot have it both ways.
Once you inspect L4, you *are* acting as a host.
As Mark pointed out, you don't need to strictly reassemble (i.e., to
emit a corresponding reassembled packet). You just need to reassemble
the information.
So, no, unless the firewall output reassembled packets,
which may be larger than MTU of an outgoing link, it is not "act
like that's what's happening".
As Fred pointed out, existing devices already emulate reassembly without
emmitting the reassembled result.
--
Remember too, that if the firewall is "translating" the headers it ends
up completely acting as a host - because it sources IP packets with its
own IP addresses. In that case, it can apply source fragmentation.
Yes - this also means that a firewall that changes headers needs to
assign new, unique ID values for any fragmented packets too. And it
needs to act as a terminus for ICMP PTB errors to adjust its
fragmentation size.
Again, the model leads you to the correct conclusions.
Joe