Hi, I agree with Francis that there is the issue of the transport headers not being present in the first fragment itself. In IPv4 the minimum fragment size is 64 which means the first fragement has the header (even when options are present).
We have a draft to take care of this for IPv6: http://tools.ietf.org/html/draft-manral-v6ops-tiny-fragments-issues-03 A link to the tiny Fragment attack http://www.javvin.com/networksecurity/TinyFragmentAttack.html I am also working with Suresh Krishnan to get a new version of this draft out. Thanks, Vishwas On Thu, Apr 15, 2010 at 7:00 AM, Francis Dupont <[email protected]> wrote: > In your previous mail you wrote: > > any implementation (hardware or software) that extracts > the 5-tuple has to follow the linked list to the end. > > => and in a rare case ports are not in the first fragment... > > Or we can strongly recommend that all hosts set the flow label, so > that we can use the 3-tuple {source address, dest address, flow label}. > > => the flow label was designed for it, wasn't it? And I can't see > a problem with recommending to set the flow label to get a "better" QoS. > BTW this simplifies fragment classifying too. > > Regards > > [email protected] > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > [email protected] > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
