In message <[email protected]>, Nicholas 
Weaver writes:
>
>
> > On Jan 23, 2015, at 10:01 AM, Paul Hoffman <[email protected]>
> wrote:
> >
> > What is the problem with #2? IP fragmentation happens, and The Internet
> is expected to work with it. That is, of what possible value is "inform
> their customers"?
>
> The Internet has unfortunately decreed that Fragmentation Does Not Work
> with IPv4, and Really Does Not Work with IPv6.

No.  Firewall vendors are too lazy to properly design them to handle
fragments.  There is nothing inherently wrong with using fragments.

You don't need to reasemble packets to filter them.  Adding two on
demand entries would let the reply traffic get through without it
being wide open to all fragments.

source addr + dest addr + protocol + fragoffset == 0 + src port + dest port
source addr + dest addr + protocol + fragoffset != 0 

Firewalls today add the first of these rules but not the second.
You could turn the != into a > x where x covers the layer 3 protocol
header.

"pass udp any any frag" works when the firewall vendor doesn't add
the second on demand rule.

> This will cause timeouts until the resolver realizes it should use a
> smaller EDNS0 MTU and in that case, the resolver will failover to TCP for
> that query, which some in the DNS community view as anathema...
>
>
> --
> Nicholas Weaver                  it is a tale, told by an idiot,
> [email protected]                full of sound and fury,
> 510-666-2903                                 .signifying nothing
> PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [email protected]

_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to