> Perfect, so following your argumentation here, scrub should "normalize" > the packets to > ensure "the end host will reassemble those packets"
No. Normalization ensures passive intermediate hosts will reassemble the packets the same way as the end host does. > That mean to me: > 1) Reassemble the packet > 2) *Remove* the DF bit (since PMTU will stop here anyway) > 3) Send it to the new host (possibly refragmenting it, but *without* > the DF) it would make sense to extend the behavior of 'no-df' rules to cover that and allow scrub to operate more in the 'fragment reassembly' sense than in the normalization sense. > BTW, if the "end host" is "this host" (like in my NFS case) there is no > ambiguities, we know we do accept theses packets. The administrator may know that but neither the firewall or an intermediate IDS will. .mike
