[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New fragment header, was: Re: Evolution of the IP model - ICMP and MTUs



On 22 aug 2008, at 9:27, Suresh Krishnan wrote:

I had similar issues to you couple of years ago in going over hop by hop options to get to the transport layer port information. And one solution I thought of was exactly the same as you. But I eventually realized it does not work very well. e.g. What happens if the eventual transport ports as seen by the end host do not match wth the fragment header`s. This would be a firewall bypass vector.

Well, the first thing that always comes to my mind in these situations is the adage "so don't do that." (I.e., take the new fragment header ports at face value.)

I was considering mandating that the transport port numbers be zeroed out so that they must be copied back from the new fragment header by the receiver...

Another option would be to compress the transport headers. But I didn't want to make the thing overly complex. :-)

Iljitsch