> On Aug 26, 2018, at 10:31 AM, Christian Huitema <[email protected]> wrote: > > It seems that the biggest obstacle to fragmentation are NAT and Firewall. > They need the port numbers in order to find and enforce context. NAT might be > going away with IPv6, maybe, but firewalls are not. > > Have considered strategies that move the port number inside the IP header? > For example, have an UDP replacement for IPv6 that does not have any port > number in the new UDP header, and relies instead on unique IPv6 addresses per > context?
NATs already have what they need to do the proper job - they need to reassemble and defragment using unique IDs (or cache the first fragment when it arrives and use it as context for later - or earlier cached - fragments). There’s no rule that IP packets that are fragmented MUST have a transport header both visible (not encrypted) and immediately following the IP header. Firewalls are just delusions; the context they think they’re enforcing has no meaning except at the endpoints; it never did. Using part of the IPv6 space for this solution would then break per-address network management (different UDP ports would use different IPv6 addresses, presumably). The “disease" is that NATs don’t reassemble (or emulate it). It’s not useful to try to address the symptoms of that disease individually. Joe _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
