On Thu, 25 May 2000, Mikael Olsson wrote:
> > > I would certainly
> > > hope that FW-1 is included in this category.
> >
> > NOT!
>
> Ouch, that sucks. I really had higher hopes
> for checkpoint than that.
Mikael, before we flame Checkpoint, keep in mind they are following
RFC. The end host, and not intermediary routers, are supposed to
preform packet reassembly [Stevens, 11.5].
> > > 1. FW-1 by default drops any fragmented packet that has
> > > a data length of 8 or 16 bytes.
>
> Hmmm let's see now. What happens if I send a 1500 byte (1480
> byte payload) packet that needs to go through a path with
> an MTU of 1492? Hmmm.. I get a one 1472 byte payload and
> then one 8 byte payload.
Whooh, looks like I did a bad job of my description. The initial
packet needs to be at least 24 bytes in legnth. If the last
Fragmented packet is 8 bytes, it will still be accepted. I need
to test this more, but I believe a state table entry is created
by the first Fragmented packet (min 24 bytes). Once that initial
packet is accepted and state table built, follow on Fraged packets
of the same session are allowed, regardless of size. I defintely
need to do more testing before I can confirm any of this. We all
may want to do some more testing before we make assumptions of
what exactly is going on.
lance
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
