On Sun, Nov 27, 2005 at 08:00:32PM -0800, Vishwas Manral wrote: > Hi Fred, > > > > Good point. I agree, however a bigger limit would provide more > protection, besides a lot of extension headers may not be valid in most > cases, so TCP headers would come within the 800 bytes. Having a > configurable minimum value with default closer to 800, could help too.
Not quite sure what you mean, since at least one fragment might be smaller, but I suppose you mean the initial. If we were to have a minimum, I would suggest 640 (based on what I posted earlier in this thread). However, with IPv6 it is perfectly possible to add so many extension headers that the TCP header is beyond whatever boundary you might set. I think perhaps that's what Fred was saying. I suppose you could just drop such packets assuming it is some kind of attack though. Another thing is that by doing filtering in end-hosts this would be less of an issue. You can reassemble the entire packet before making decisions. > Pyda, on another note I have been wondering whether NAPT-PT work > properly in the case where the first fragment, did not have the TCP port > unless we maintained states of fragments (what the next header expected > in the fragment is etc)? Yes, it would make NAPT-PT difficult, but not so sure I want to have NAPT-PT anyway... Stig -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
