On Fri, Feb 12, 2016 at 1:27 PM Joe Touch <touch(_at_)isi(_dot_)edu> wrote:
On 2/11/2016 12:54 PM, Masataka Ohta wrote:
Joe Touch wrote:
...
So yes, a firewall that inspects L4 or encap/decaps either needs to
reassemble fragments or act like that's what's happening (e.g., to
retain a copy of the first fragment of a set to direct later fragments
within that set).
Remember, with IPv6, the firewall can't fragment the reassembled
packets.
Routers shouldn't reassemble, but then routers aren't supposed to look
beyond L3. You cannot have it both ways.
You keep saying that.... and then a bunch of operators say "Yeah, but I
have an actual network to run, and I need to look beyond L3 because my
customers want me to mitigate their DoS, I want to filter on L4 before
handing data to internal services, and I use ECMP and need L4 because I
cannot rely on flow labels".
Once you inspect L4, you *are* acting as a host.
So, this entire thread (which has reminded me why I stopped participating
in v6ops) is just a terminology issue? ;-)
Actually, I've just noticed that this thread is actually on ietf@ --
perhaps it should be moved to v6ops?
As Mark pointed out, you don't need to strictly reassemble (i.e., to
emit a corresponding reassembled packet). You just need to reassemble
the information.
Which requires keeping state, yes? This is not realistic in modern large
network devices.
Saying "vendors should jolly well do a better job and redesign their gear
so that it can, and operators should simply pay whatever the cost is... oh,
and redesign their networks for flow consistency, because *that's what the
specifications require*" is likely to continue having people say "Yeah,
sure, whatever. But I've got a real network to run...."
So, no, unless the firewall output reassembled packets,
which may be larger than MTU of an outgoing link, it is not "act
like that's what's happening".
As Fred pointed out, existing devices already emulate reassembly without
emmitting the reassembled result.
--
Remember too, that if the firewall is "translating" the headers it ends
up completely acting as a host - because it sources IP packets with its
own IP addresses. In that case, it can apply source fragmentation.
Yes - this also means that a firewall that changes headers needs to
assign new, unique ID values for any fragmented packets too. And it
needs to act as a terminus for ICMP PTB errors to adjust its
fragmentation size.
Again, the model leads you to the correct conclusions.
... and yet we see lots of evidence that fragments (and EH) have issues in
real world testing.
W
Joe