Re: New fragment header, was: Re: Evolution of the IP model - ICMP and MTUs

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 22 aug 2008, at 9:27, Suresh Krishnan wrote:

>  I had similar issues to you couple of years ago in going over hop  
> by hop options to get to the transport layer port information. And  
> one solution I thought of  was exactly the same as you. But I  
> eventually realized it does not work very well. e.g. What happens if  
> the eventual transport ports as seen by the end host do not match  
> wth the fragment header`s. This would be a firewall bypass vector.

Well, the first thing that always comes to my mind in these situations  
is the adage "so don't do that." (I.e., take the new fragment header  
ports at face value.)

I was considering mandating that the transport port numbers be zeroed  
out so that they must be copied back from the new fragment header by  
the receiver...

Another option would be to compress the transport headers. But I  
didn't want to make the thing overly complex.  :-)

Iljitsch