In message <CAC3z6OhoYkmSiJLqHA55W_3i8GN94QR9fQbndDOj=wsp3pg...@mail.gmail.com>, Liang Zhu writes: > On Fri, Jan 23, 2015 at 10:12 AM, Nicholas Weaver > <nwea...@icsi.berkeley.edu> wrote: > > > >> On Jan 23, 2015, at 10:01 AM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > >> > >> What is the problem with #2? IP fragmentation happens, and The Internet is > >> expected to work with it. That is, of what possible value is "inform their > >> custo > mers"? > > > > The Internet has unfortunately decreed that Fragmentation Does Not Work > > with IPv4, and Really Does Not Work with IPv6. > > > > This will cause timeouts until the resolver realizes it should use a > > smaller EDNS0 MTU and in that case, the resolver will failover to TCP for > > that query, w > hich some in the DNS community view as anathema... > > > > Besides the additional latency caused by loss recovery, as Nicholas > said, fragments may also bring problem of fragmentation attack > described in: > A. Herzberg and H. Shulmanz. Fragmentation considered poisonous. In > Proc. of IEEE Conference on Communications and NetworkSecurity (CNS), > Oct. 2013. > > -Liang Zhu
And they are completely defeatable at the application layer. > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop