Mikael Olsson wrote:
>
> Intermediary routers don't fragment very often. True.
> VPNs do all the time however. And VPNs are becoming more
> and more common, even solutions where satellite offices connect
> to the Internet THROUGH the VPN in order to utilize their home
> office's firewall before talking to the Internet.
that's right. there may also be similar "problems" with roaming.
>
> So we're going to see a whole lot more fragmentation than
> we are seeing today (IMHO).
or IP stacks would be modified to use the real MTU when sending/receiving
packets
and another value for the upper layers. well, let's just wait and see.... At
this IP hour,
you get many packets for the price of one...
anyway, fragmentation introduces weired problems that were not considered
when IP was designed.
modularity and protocol independence dictate that the payload is not
analyzed, but
if at least TCP and UDP ports were included in all frags then filters would
be capable of
determining the corresponding rule without queuing these fragments.
regards,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
