Re: I-D Action:draft-ietf-6man-overlap-fragment-00.txt

To: Rémi Denis-Courmont <rdenis at simphalempin.com>
Subject: Re: I-D Action:draft-ietf-6man-overlap-fragment-00.txt
From: Suresh Krishnan <suresh.krishnan at ericsson.com>
Date: Wed, 24 Sep 2008 11:39:07 -0400
Cc: ipv6 at ietf.org
Delivered-to: ietfarch-ipv6-web-archive at core3.amsl.com
Delivered-to: ipv6 at core3.amsl.com
In-reply-to: <b8834b7853b28364936b99a70e9e7afe at chewa.net>
List-archive: <https://www.ietf.org/mailman/private/ipv6>
List-help: <mailto:ipv6-request@ietf.org?subject=help>
List-id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-post: <mailto:ipv6@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
References: <20080924143001.66FD83A6DB8 at core3.amsl.com> <7b3a1d3ed7bb73e6cce8027823fd0ac8 at chewa.net> <48DA5B70.3060901 at ericsson.com> <b8834b7853b28364936b99a70e9e7afe at chewa.net>
Sender: ipv6-bounces at ietf.org
User-agent: Thunderbird 2.0.0.16 (X11/20080724)

Hi Remi,

Rémi Denis-Courmont wrote:

On Wed, 24 Sep 2008 11:23:28 -0400, Suresh Krishnan
<suresh.krishnan at ericsson.com> wrote:

1) Inside_Host(Port X)->Outside_Host(Port Y) SYN=1,ACK=0
2) Outside_Host(Port Y)->Inside Host(Port X) SYN=1,ACK=1
3) Inside_Host(Port X)->Outside_Host(Port Y) SYN=0,ACK=1

...

99) Outside_Host(Port Y)->Inside Host(Port X) SYN=0,ACK=1
     (Fragment: OH(Port Z)->IH(Port 80) SYN=1,ACK=0)

The packet numbered 99) will not be filtered even by a stateful firewall.


But then the dialog is established and a SYN=1 ACK=0 packet in the reverse
direction is not really an issue. In fact some stateful firewalls may even
allow the packet due to optimizations.

But the packet is not destined for the already established ports. Thispacket is trying to establish a new incoming http connection. If thefirewall lets it through, there is a problem.


Thanks
Suresh

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 at ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

References:
- I-D Action:draft-ietf-6man-overlap-fragment-00.txt
  - From: Internet-Drafts
- Re: I-D Action:draft-ietf-6man-overlap-fragment-00.txt
  - From: Rémi Denis-Courmont
- Re: I-D Action:draft-ietf-6man-overlap-fragment-00.txt
  - From: Suresh Krishnan
- Re: I-D Action:draft-ietf-6man-overlap-fragment-00.txt
  - From: Rémi Denis-Courmont

Prev by Date: Re: I-D Action:draft-ietf-6man-overlap-fragment-00.txt
Next by Date: v6ops-addcon and longer than 64 bit prefixes
Previous by thread: Re: I-D Action:draft-ietf-6man-overlap-fragment-00.txt
Next by thread: [Fwd: I-D Action:draft-krishnan-ipv6-exthdr-04.txt]
Index(es):
- Date
- Thread

Re: I-D Action:draft-ietf-6man-overlap-fragment-00.txt

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.