Ok. Thanks for the clarification. So if we look at softwire and NAT in isolation, the tunneling function is fine with fragments. We need to do v4 defragmentation based on the requirements of NAT function.
Defragmentation does open the avenue for "Fragmentation Buffer Full" attack, but this will only affect subsequent fragments and not normal IP packets. This is a tradeoff between supporting fragments to atleast an extent. Regards Tarun Saxena -----Original Message----- From: Lee, Yiu [mailto:[email protected]] Sent: Wednesday, June 02, 2010 6:07 PM To: Alain Durand Cc: Tarun Saxena; [email protected] Subject: Re: [Softwires] IPv4 fragmentation and reassembly in DS-Lite Agreed. But the problem is the NAT device doesn't know how much buffer it will need to reserve for de-fragmentation because it doesn't know how many times a packet got fragmented. This opens hole for "Fragmentation Buffer Full" attack. I am curious how today most home gateway handles v4 fragmentation from hosts? On 6/2/10 8:11 AM, "Alain Durand" <[email protected]> wrote: > Except that, as the AFTR needs to NAT the packet back to the tunnel, it needs > to reassemble the packet first.. > > - Alain. > > > _______________________________________________ Softwires mailing list [email protected] https://www.ietf.org/mailman/listinfo/softwires
