On 2019-11-01 09:44, Fred Baker wrote:
> On Nov 1, 2019, at 12:39 AM, Joe Touch <to...@strayalpha.com> wrote: On Oct
> 31, 2019, at 5:07 PM, Erik Kline <ek.i...@gmail.com> wrote:
> It may be folly to try to modify IPv4 implementations at this point. I have
> no objections if you wish to try pushing this big rock up hill, but I doubt
> you will be successful.
>
> BTW, what *actually* prevents a middlebox from doing IPv6 fragmentation?
> Expecting it to work. That middlebox has no idea what packets are going
> through other middleboxes from the same endpoint. There's no way it can pick
> IDs to avoid collision, the way the origin can. That's why both IPv4 and IPv6
> rely on the origin creating those IDs.
>
> The result would either be significantly increased reassembly errors, sort of
> like accidental poisoning of the receiver's cache, or potentially resulting
> in incorrect packets (the latter could be more likely in some cases, e.g.,
> when the fragment happens to have a zero IP checksum).
I don't especially disagree with you, BUT...
Thinking about middlebox fragmentation. OK, suppose I am a company with
N middleboxen. Suppose I configured the middleboxes to generate N
disjoint ranges of IDs. If I have a datagram arriving at a middle box
and being fragmented into two or more, and the ID generated is within
the range assigned to the middle box, I don't think the results you
predict actually transpire.
Yes - but that's exactly the point. You can't know you are the only such
middlebox.
I.e., my general rule about middleboxes is that they work ONLY when ALL
the middleboxes on a path from A to B can act as a single proxy for
either A or B. That works at the edge of an enterprise (firewalls setup
around an enterprise perimeter) but nearly nowhere else.
> Note that I'm not writing a draft about that. I'm not sure I want anyone
> thinking it's a great idea and needs to be implemented.
Glad to hear that, though.
Joe
_______________________________________________
Int-area mailing list
Int-area@ietf.org
https://www.ietf.org/mailman/listinfo/int-area
