Chris Brenton wrote:
>
> Mikael Olsson wrote:
> >
> > I would certainly
> > hope that FW-1 is included in this category.
>
> NOT!
Ouch, that sucks. I really had higher hopes
for checkpoint than that.
> > 1. FW-1 by default drops any fragmented packet that has
> > a data length of 8 or 16 bytes.
Hmmm let's see now. What happens if I send a 1500 byte (1480
byte payload) packet that needs to go through a path with
an MTU of 1492? Hmmm.. I get a one 1472 byte payload and
then one 8 byte payload.
Ouch.
I guess they could have removed the restriction for last
fragments (MF flag set to 0). But what if I have to go
through TWO paths with decreasing MTUs?
My MTU = 1500
Path 1 MTU = 1492
Path 2 MTU = 1484
I send one 1500 (1480 byte payload) packet
Path 1 will convert to two packets:
1492 + 28 (payloads 1472+8)
Path 2 will convert to three packets:
1484 + 28 + 28 (payloads 1464+8+8)
Ouch. This means that the middle packet will be too small,
and it'll have MF=1, and hence won't get through!
Yeah I know, the above scenario isn't too likely. But
instead imagine what happens if you have to pass
through a VPN or two with different header sizes. It
gets more complex, but the same thing happens.
/Mike, rambling too much
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
