>> Any middlebox that uses state not available in all fragments MUST reassemble >> or keep equivalent storage/state to process fragments appropriately.
This statement is true without question, so the only question is what applications would produce IP fragments that need to be forwarded by a middlebox. We have already seen that ‘iperf3’ produces IP fragments by default on some systems. And, intarea-tunnels makes the case for tunnels. I will also make the case for NAT66. With RFC4193 ULAs, NAT66 will be inevitable, but a middlebox may be able to translate based only on the IPv6 addresses and not transport-layer port numbers. Such a middlebox could forward fragments without having to reassemble or otherwise hold them until all fragments have arrived. Thanks - Fred From: Int-area [mailto:int-area-boun...@ietf.org] On Behalf Of Joe Touch Sent: Friday, August 31, 2018 8:57 AM To: Tom Herbert <t...@herbertland.com> Cc: int-area <int-area@ietf.org>; Toerless Eckert <t...@cs.fau.de>; intarea-cha...@ietf.org Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile On Aug 31, 2018, at 8:44 AM, Tom Herbert <t...@herbertland.com<mailto:t...@herbertland.com>> wrote: Joe, There is an alternative: don't use NAT! Agreed - that should also be part of the observations of this doc. Yes, something needs to be done, but I argue that *until we have a worked alternative*, we need to keep restating the fact - NATs/firewalls MUST reassemble to work properly; where they don’t, the error is on them - not the rest of the Internet for using fragments. Reassembly could only be a MUST for NAT, not firewalls. “or its equivalent" NAT might be required because of the identifier space issue, however we already shown how a firewall can achieve proper functionality without reassembly and to be stateless by forwarding fragments and potentially dropping the first one that contains port information being filtered. First, firewalls that port-filter need to do the same thing as a NAT in terms of keeping state. The fact that this might forward fragments that are never reassembled is at best an optimization with unproven benefit. ATM proved otherwise in numerous published studies in the late 1980s. Those fragments compete for bandwidth further along the path; anytime they “win”, that decision is not work-conserving. Note that keeping some state is already needed (if port-filtering) and that - as you note - the state filtering need not be “perfect”. However, it really ought to be SHOULD at least. There is another case where in-network reassembly could be required which is load balancing to a virtual IP address. Any middlebox that uses state not available in all fragments MUST reassemble or keep equivalent storage/state to process fragments appropriately. Like NAT though, in the long run I believe IPv6 offers a better solution that would eliminate the need for VIPs. That’s true right up until we end up in a world where (mostly) nobody correctly uses flow IDs. Oh, wait - we’re already there… Joe
_______________________________________________ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area