On Sun, Aug 26, 2018 at 11:38 AM, Joe Touch <[email protected]> wrote: > > >> On Aug 26, 2018, at 10:31 AM, Christian Huitema <[email protected]> wrote: >> >> It seems that the biggest obstacle to fragmentation are NAT and Firewall. >> They need the port numbers in order to find and enforce context. NAT might >> be going away with IPv6, maybe, but firewalls are not. >> >> Have considered strategies that move the port number inside the IP header? >> For example, have an UDP replacement for IPv6 that does not have any port >> number in the new UDP header, and relies instead on unique IPv6 addresses >> per context? > > NATs already have what they need to do the proper job - they need to > reassemble and defragment using unique IDs (or cache the first fragment when > it arrives and use it as context for later - or earlier cached - fragments). > There’s no rule that IP packets that are fragmented MUST have a transport > header both visible (not encrypted) and immediately following the IP header. > > Firewalls are just delusions; the context they think they’re enforcing has no > meaning except at the endpoints; it never did. > > Using part of the IPv6 space for this solution would then break per-address > network management (different UDP ports would use different IPv6 addresses, > presumably). > > The “disease" is that NATs don’t reassemble (or emulate it). It’s not useful > to try to address the symptoms of that disease individually. > Joe,
That is only a better solution, not a complete or robust one. For reassembly to work all fragments of a packet must traverse the same NAT device. There is no rule that IP packets going to the same destination (fragments or not) ever MUST follow the same path. So in a multi-homed environment this will eventually break someone. For IPv6, this is also a clear violation of RFC8200 since intermediate nodes are processing a non-HBH extension header in a packet not addressed to the them. The only robust solution to NAT and its fragmentation problems, as well as a bunch of other problems NAT brings, is to not use NAT! (i.e. switch to IPv6) Tom > Joe _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
