On 16/1/19 16:26, Tom Herbert wrote: > Ron, > > A stateless firewall that maintains state is no longer a stateless > firewall. Introducing state requires memory and additional logic that > are at odds with the goal of cheap low end devices.. > > A stateless firewall could just drop the first fragment that contains > the transport layer header and allow non first fragments to past. This > achieves the filtering goal to prevent delivery of the reassmbled > packet. It does mean fragments that can't possibly be reassembled make > it to the destination. Whether or not that is a mere nuisance or causes > real problems that creates a DOS vector depends on other factors in > deployment.
This assumes the node to be firewalled implements RFC8200/RFC5722 -- if it doesn't, the filtering policy could be circumvented. You may or may not be able to make such assumption. Where you can't, you may have to do stateful firewalling. -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area