On 2018-08-29 10:38, Tom Herbert wrote:
> I don't think you need the part about acting as a host, that would
> have other implications.
It does, and that's exactly why you do. In particular, this includes
ICMP processing.
> Also, the reassembly requirement might be
> specific to NAT and not other middlebox functionality. For instance,
> it would be sufficient for a firewall that is dropping UDP packets to
> some port to only drop the first fragment that has UDP port numbers
> and let the other fragments pass. Without the first fragment
> reassembly at the destination will simply timeout and the whole packet
> is dropped.
And that's a great example of why not reassembling (or equivalent) isn't
the appropriate behavior.
Yes, the packet will still not be delivered, but the receiver will end
up doing a lot of work that isn't necessary. I.e., the middlebox has
ignored work it was responsible for and caused work elsewhere.
Further, acting as a host is always the right thing for any node that
sources packets with its own IP address -- that includes NATs and
regular proxies. The behavior of transparent proxies is more complex,
but can be similarly reasoned from the appropriate equivalence model.
>> ...
>> I would argue that it is OK to give a middlebox the key if that's OK for a
>> given trust model, e.g., it would make sense inside an enterprise to offload
>> security to the ingress of that enterprise. But not elsewhere;
> Sure enterprises can do that. But I'm more worried about the five
> billion mobile devices that may connect to random WIFI or mobile
> networks over the course of a day. For them there is simply no concept
> that the network will provide any level of security.
Which is a great reason why it might actually be useful to shift the
security work to a "home entrance" device by placing the security there.
It's a matter of system configuration, but the point is that it isn't
the device that makes it incorrect; it is how it is configured and
deployed.
Joe
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
