> On Oct 28, 2021, at 7:16 AM, Roman Danyliw <r...@cert.org> wrote: > > > [snip] > >> 3. Section 6 says applications should perform “full TCP segment reassembly”. >> What does that mean? A quick google search doesn’t suggest it’s a well-known >> term of art. I'm guessing that what you mean is that the applications should >> capture (and log, etc) the bytestream that was segmented and transmitted by >> TCP? > > I'll let the authors speak to this, but I think this means full TCP stream > reassembly -- that is analyze, the reassembled stream, not the individual > packets. There is a long history of evasion attacks in network security > analysis tools when individual fragments/packets are analyzed instead of the > reassembled streams. > > Roman
Thanks Roman, yes that is the intention. “Segment reassembly” is poor phrasing. I’ve seen (and probably even written) packet capture applications that only look at the first packet of a DNS over TCP conversation, or assumed that each TCP packet contains a separate DNS message. This statement is directed at those types of shortcuts. DW _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
