Hi, Joel, On 10/04/2012 10:58 AM, joel jaeggli wrote: > So the thing I'd note is that stateless IPV6 ACLs or load balancing > provide you with an interesting problem since a fragment does not > contain the headers beyond the required unfragmentable headers.
In the real world, such packets are not legitimate, so feel free to drop them. draft-ietf-6man-oversized-header-chain formally addresses this issue. > Likewise with the acl I have the property that the initial packet has > all the info in it while the fragment does not. You're talking about initial-fragment vs non-initial fragments? -- If so, in theory *both* might be missing the upper layer information. IN practice, the first-fragment won't. If it does, feel free to drop it. Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1