* Joe Abley: > The assumption is that "firewall" means "device that keeps > state". This could be a firewall, or a NAT, or an in-line DPI > device, or something similar. We're not talking about stateless > packet filters.
I think you still can't serve UDP over IPv6 without per-client sate, keeping both full RFC conformance and interoperability with the existing client population. Pre-fragmentation to 1280 or so bytes isn't enough, you also have to generate atomic fragments. But the latter cannot be processed by some clients, so you cannot send out atomic fragments unconditionally (even if there were a socket option to do that). Many large servers do not even pre-fragment to 1280 bytes, so they rely on path MTU information in the destination cache for communication with clients on sub-1500-MTU links. I wonder when this statefullness of IPv6 UDP traffic will cause practical problems, probably as soon as the traffic levels exceeds what can be comfortably kept in the server cache. Enough ranting today. I suspect this issue will only get addressed when enough operators experience it first-hand, like the EDNS0 fallback issue. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs