[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New fragment header, was: Re: Evolution of the IP model - ICMP and MTUs
On 22 aug 2008, at 9:27, Suresh Krishnan wrote:
I had similar issues to you couple of years ago in going over hop
by hop options to get to the transport layer port information. And
one solution I thought of was exactly the same as you. But I
eventually realized it does not work very well. e.g. What happens if
the eventual transport ports as seen by the end host do not match
wth the fragment header`s. This would be a firewall bypass vector.
Well, the first thing that always comes to my mind in these situations
is the adage "so don't do that." (I.e., take the new fragment header
ports at face value.)
I was considering mandating that the transport port numbers be zeroed
out so that they must be copied back from the new fragment header by
the receiver...
Another option would be to compress the transport headers. But I
didn't want to make the thing overly complex. :-)
Iljitsch