On Sat, 3 Aug 2013, Brian E Carpenter wrote: > On 02/08/2013 18:12, Mark ZZZ Smith wrote: > > [ Mark ZZZ Smith wrote ] ... > > > [ C. M. Heard wrote ] ... > > > > - generic transport encapsulation within UDP (suggested to me > > > > off-list by Mark Smith, based on a draft by Stuart Cheshire > > > > et. al.). ... > May I make a plea for any such proposal to be carefully evaluated against > common practices in stateful firewalls and load balancers. I'm rather > concerned > that the problems these middleboxes create with conventional fragmentation > will soon come back with UDP-encapsulated fragmentation. (There is no problem > in computer science that can't be made harder by recursion.)
Yes, UDP-encapsulated fragmentation (in its simplest form) has exactly the same issue as conventional IP fragmentation -- it hides the actual L4 header information in all but the first fragment. Operators who filter conventional IP fragments would have exactly the same motivation to filter UDP-encapsulated fragments. On Thu, 1 Aug 2013, Mark ZZZ Smith wrote: > (2) fragments can hide transport layer protocol ports, preventing > simple ACL filtering etc. ... > A general solution like SEAL (which I think in the big picture > would be better), probably doesn't solve (2) SEAL transport mode, as currently proposed, addresses the problem by including port numbers in all non-initial segments:. See: https://tools.ietf.org/html/draft-templin-intarea-seal-61#page-32 Mike Heard -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
