Re: [Ipsec] 2401bis fragment checking for BYPASS/DISCARD

["Theodore Ts'o" <tytso at mit.edu>]

On Sat, Nov 06, 2004 at 11:36:25PM -0500, Mark Duffy wrote:
> 
> I think this can be as simple as replacing this sentence in 7.4:
>    An implementation MUST support stateful fragment checking to accommodate
>    BYPASS traffic for which a non-trivial port range is specified.
> with this one:
>    An implementation MUST NOT forward fragmented BYPASS traffic
>    without performing stateful fragment checking.
> 
> I don't want to delay the progress of 2401bis unnecessarily and if the 
> change is made I don't particularly care if it is done now or later in the 
> cycle.  I imagine other changes might be needed anyway during IESG review 
> or IETF last call.

OK, we'll trea this as an issue raised during last call.  It seems to
be a reasonable proposal.  Your proposed wording does allow an
implementation which does fragment reassembly; which I assume is what
you wanted to allow, explicitly?

On the other hand, a downside is that it allows an implementation that
filters all fragments to be compliant; on the other hand there are a
lot of firewalls deployed out there that do a lot of sillier things,
including filtering all ICMP packets and breaking Path MTU Discovery,
or filtering SYN packets that have ECN bits set.

I believe Tero has made the assertion that fragment reassembly and
then forwarding of BYPASS traffic is encompassed by the concept of
stateful fragment checking.  Would a rewording that made this clearer
be sufficient for you, or are there other specific behaviours you
wanted to allow?

What do other people think?

						- Ted

_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec