* Brian A Seklecki (Mobile) <[EMAIL PROTECTED]> [2007-10-26 17:19]: > On Mon, 2007-10-22 at 12:04 +0200, Henning Brauer wrote: > > * Claudio Jeker <[EMAIL PROTECTED]> [2007-10-22 08:17]: > > > Fragment Reassembly does not happen in the forwarding plane, it happens on > > > the end system. By doing "flow" based forwarding on the router you're no > > > longer able to do all the additional checks that pf(4) is doing in its > > > stateful forwarding path. > > > > and we don't actually need these on a non-edge router. I'd go so far > > to say they hurt in that case. > > I agree. > > Just to confirm... you do not encourage the use of fragment reassembly > at forwarding points other than the network periphery?
well, fragment reassembly probably doesn't hurt that much... don't really think it makes too much sense in these scenarios either. On the edge, yes, should be done. I was more thinking about the sequence number tracking. We can't do that correctly if we only see one direction of the flow. > We recently ran into some intermittent TCP connection stalls in a > network where end point systems were behind as many a three PF systems > end-point to end-point. "pfctl -x loud" had a direct correlation to the > stalls and reassemble debug activity output. > > We didn't debug it too much because there was a mix of 3.7, 3.9, and 4.1 > systems and we wanted to standardize on 4.2 before filing any > superfluous bug reports. i have a hard time to remember what was in 3.7 or 3.9 :) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
