On Tue, Nov 13, 2018 at 3:13 AM Joe Touch <[email protected]> wrote:
> >> Fragment forwarding is a MUST in our standards.
> >
> > I believe you are talking about routers supporting forwarding
> > fragmented packets, not about policy decisions. While the
> > recommendations in the draft (not to filter ICMP PTB messages) are
> > about policies.
> > So just another policy-related recommendation makes sense, IMHO.
>
> So first, what is the *policy* reason for doing this? The policy of “Rocket”
> (Guardians of the Galaxy movie)? “Because I really want to”?
Well, usually the security policies are based on "permit only things
you need, drop everything else". Therefore in many cases fragments are
dropped because it's not obvious why they should be permitted. My
understanding is that teh main goal of BCP is document the problem,
explain what would happen if fragments are dropped and provided
recommendations to those who are looking for such recommendations.
That's why I suggested to add one more explicit recommendation on that topic.
> However, let’s just look at fragments - who are you trying to protect by
> blocking them?
> - endpoints can already drop whatever they can’t reassemble
> - an endpoint that lets fragments interfere with complete packets
> isn’t implementing reassembly correctly
(Just to clarify: you don't need to convince *me* that dropping
fragments is not necessary a good idea)
> Let’s please not dance around the issue - the only policy at play here is
> “vendors want to make money lying about what they sell”.
My experience is different. It has nothing to do with vendors most of
the time. It's mostly about engineers who has no idea why they should
explicitly permit fragments, so those poor packets hit the default
deny rule. That's why the BCP makes perfect sense. If fragments are
dropped because vendors are lying about what they sell (not sure I
understand what do you mean, actually) then no BCP would change it..
> > If we already have a document which is saying 'operators MUST NOT
> > filter any fragmented packets' then
> > it would be nice to reference it in the draft.
>
> We don’t have a document saying they MAY.
Er...I somehow suspect most operators apply "Everything which is not
forbidden is allowed" principle, not the converse one ;)
Again, when an engineer builds a set of filtering rules, they would
look for reason to allow some traffic ('if I do not allow those
packets a service I need would break") and the BCP provides such a
guidance.
> >> *Additionally*, it’s bad practice to indicate “SHOULD” unless the text
> >> also explains why it isn’t a MUST, i.e., under what conditions it is OK to
> >> not forward fragments.
> >
> > Sorry, I'm a bit confused. Which standard would need to be updated if
> > the proposed recommendation is made?
>
> If you’re going to systematically drop fragments:
Now I'm totally confused. Nobody suggests to drop fragments. Quite the opposite.
--
SY, Jen Linkova aka Furry
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
