[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Status of Operational issues with Tiny Fragments in IPv6



I may be missing the issue in the draft but I take the main issue to be
as follows:

From section 4 of the spec
>Having tiny fragments could mean that none of the fragments would be
the Initial 
>Fragment. So any access control/ tunneling based onthat may not work
unless reassembly >is done, or extra state like nextHeader  and previous
header length remaining are kept >across fragments.

My first thought now is this is life with IPv4 or IPv6.  Packet assembly
and reassembly is required.  The spec does not provide for me why this
cannot be done from an IETF protocol view for IPv6.

Is this an implementation problem and not IETF specification problem,
thus it was correct to send it to v6ops to do logic check if there is
anything we can do operationally to address the stated issue.

I don't think this spec should even move forward, but again maybe I am
missing the issue that is other than the mid box doing normal packet
reassembly for IPv6?

NB: Also if the packet was encrypted with IPsec many of the security
issues are addressed and also the entire notion of Firewalls for
implementation (as opposed to IETF standardization) is current
discussion in multiple market vertical segments how end-to-end with
IPsec is implemented when Firewalls are present.


Best,
/jim