On 10/11/2013 12:36 PM, Templin, Fred L wrote: >> FWIW, my idea of the I-D is that it says "look, if you don't put all >> this info into the first fragment, it's extremely likely that your >> packets will be dropped". That doesn't mean that a middle-box may want >> to look further. But looking further might imply >> reassemble-inspect-and-refragment... or even reassemble the TCP stream >> (e.g. think about a SSL/TCP-based VPN...) > > We definitely don't want that. That is why we would prefer for > the entire header chain (starting from the outermost IP header > up to and including the headers inserted by the original host) > to fit within the first fragment even if there are multiple > encapsulations on the path.
The problem is that if you have multiple encapsulations, you can always hit the MTU limit and fail to comply with this requirement. That's why this I-D says what it says. P.S.: Reegarding enforcing a limit on the length of the header chain, I must say I symphatize with that (for instance, check the last individual version of this I-D, and you'll find exactly that). But the wg didn't want that in -- and I did raise the issue a few times. So what we have is what the 6man wg had consensus on. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492