Iljitsch van Beijnum skrev: > On 19 mei 2009, at 11:08, Magnus Westerlund wrote: > >> So this is IPsec tunnel mode which is commonly used for VPN, which means >> that one of parties are quite likely behind a NAT or at least a >> firewall. Thus, relying on IP fragmentation is likely to mean, all >> fragmented packets dropped on the floor by the middlebox. > > Where do you get that?
I am not saying that all middleboxes are broken. Only that there is talk about middleboxes that doesn't handle fragmentation properly. I don't have any numbers for how common this is. However, it definitely has been raised in BEHAVE, for example when we discussed section 11 of RFC 4787. > > I've never heard of fragmentation breaking consistently in middleboxes. > This is from a system behind a NAT running peer-to-peer stuff for a > while and communicating with some local systems. Since locally > everything is ethernet and that communication is basically only TCP I > don't think the fragments were local: > > 94869703 total packets received > 112346 fragments received > 0 fragments dropped (dup or out of space) > 13 fragments dropped after timeout > 53614 packets reassembled ok > >> Also, the segmentation mechanism that ROHC has is currently defined to >> be turned off. The ROHC people can fill in the motivation for that. One >> is clearly the need to keep state in the tunnel end-points for >> reassembly. > > If you can do IPsec and header compression then reassembly for a small > percentage of all packets isn't unreasonable. > No, I agree that this shouldn't be an issue. But it does introduce a certain amount of buffering requirements on the reassembling side. I think the ROHC people already have provided the real reason for their choice. Cheers Magnus Westerlund IETF Transport Area Director & TSVWG Chair ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: [email protected] ----------------------------------------------------------------------
