In message <[email protected]>, Nicholas Weaver writes: > > > > On Jan 23, 2015, at 10:01 AM, Paul Hoffman <[email protected]> > wrote: > > > > What is the problem with #2? IP fragmentation happens, and The Internet > is expected to work with it. That is, of what possible value is "inform > their customers"? > > The Internet has unfortunately decreed that Fragmentation Does Not Work > with IPv4, and Really Does Not Work with IPv6.
No. Firewall vendors are too lazy to properly design them to handle fragments. There is nothing inherently wrong with using fragments. You don't need to reasemble packets to filter them. Adding two on demand entries would let the reply traffic get through without it being wide open to all fragments. source addr + dest addr + protocol + fragoffset == 0 + src port + dest port source addr + dest addr + protocol + fragoffset != 0 Firewalls today add the first of these rules but not the second. You could turn the != into a > x where x covers the layer 3 protocol header. "pass udp any any frag" works when the firewall vendor doesn't add the second on demand rule. > This will cause timeouts until the resolver realizes it should use a > smaller EDNS0 MTU and in that case, the resolver will failover to TCP for > that query, which some in the DNS community view as anathema... > > > -- > Nicholas Weaver it is a tale, told by an idiot, > [email protected] full of sound and fury, > 510-666-2903 .signifying nothing > PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
