On 10/11/2013 04:48 AM, Ray Hunter wrote: > > I think the draft does what it can in a pragmatic manner, but might > benefit from some acknowledgement that this security approach of > applying parsing at a single perimeter can never ever catch all variants > of transporting FOO over BAR.
FWIW, my idea of the I-D is that it says "look, if you don't put all this info into the first fragment, it's extremely likely that your packets will be dropped". That doesn't mean that a middle-box may want to look further. But looking further might imply reassemble-inspect-and-refragment... or even reassemble the TCP stream (e.g. think about a SSL/TCP-based VPN...) Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
