Hi, all,
On 11/5/2012 10:56 AM, Cao Zhen (cz) wrote:
Hi Carsten,
The problem you describe is cool.
Can someone summarize that to the list? I don't think I saw it.
There have been a lot of recent discussion on v6ops about fragmentation
as well, notably on a recommendation they are considering to "drop all
fragments" due to the overhead of processing any IPv6 options.
I claim:
a) if processing is an issue, then they could ask to recommend "drop
IPv6 with any options", but dropping only fragments could easily require
more extensive chained-header processing for routers
b) dropping all options isn't viable
Others have claimed that it's reasonable for a port filter device to
drop all fragments and send back PTB messages. Here are my concerns with
that approach:
- PTB messages themselves are already filtered by the same kind of
operators who insist on routers doing port filtering
- sending PTB to a host that has fragmented might not help; if it
could/wanted to adjust the TCP or UDP segment size, it would already
have done so. since IPv6 fragmentation happens at the source, the likely
result is just a lot of smaller fragments (which isn't useful)
I am now considering whether a port filter device may need to reassemble
IPv6 fragments. IMO, if such a device isn't in a network location where
such reassembly is reasonable (i.e., on behalf of a host whose entire
traffic it controls), then port filtering there isn't reasonable anyway.
Yes, such reassembly might be considered to violate RFC 2460, but so
does "drop all fragments" or "drop any options". Arguably any device
that checks port numbers is acting either as the destination or a proxy
for the destination anyway.
But in Lwig guidance document, I
remember there is a guidance saying we should avoid fragmentation if
we can.
That's advisable anywhere, and already in RFC 2460.
The fact is that in Internet today only has very very few fragments,
due to the fact of MTU configuration/discovery and also TCP MSS
option. I donot the case of the internet of things though.
I'm not sure we're seeing the whole situation; fragments happen over
tunnels too, many of which are secure and we might not be able to notice.
Joe
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
