FWIW... On 1/16/2019 11:26 AM, Tom Herbert wrote: > ...A stateless firewall could just drop the first fragment that > contains the transport layer header and allow non first fragments to > past. This achieves the filtering goal to prevent delivery of the > reassmbled packet.
That works only if the firewall drop rules are based on information available in the first fragment. The D in DPI often goes much further. Joe _______________________________________________ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area