[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New fragment header, was: Re: Evolution of the IP model - ICMP and MTUs

Hi Iljitsch,
I had similar issues to you couple of years ago in going over hop by hop options to get to the transport layer port information. And one solution I thought of was exactly the same as you. But I eventually realized it does not work very well. e.g. What happens if the eventual transport ports as seen by the end host do not match wth the fragment header`s. This would be a firewall bypass vector. 

Thanks
Suresh

Iljitsch van Beijnum wrote:

On 20 aug 2008, at 22:12, Francis Dupont wrote:


Note, as the issue exists only for UDP
Note that this fragment header has a broader purpose than current fragmentation, even if the above were true for existing fragmentation (it isn't, tunneling is an important issue and fragments sometimes happen where you wouldn't expect them, even with TCP).
For instance, the new fragment header will allow for a non-ICMP based path MTU discovery and easier filtering and NATing because port numbers are always in the same place regardless of extra headers, and regardless of whether the transport is TCP, UDP, SCTP or DCCP.