Virtual reassembly means “forwards *as if* reassembled”, without actually reassembling. It’s actually not all that much different from the way NATs or unidirectional firewalls work for TCP.
On Feb 1, 2019, at 12:42 AM, Ole Troan <otr...@employees.org> wrote: > > if first fragment in chain > found = lookup 4 tuple in reassenbly cache > if found > forward buffered packets > else > create session state entry in reassembly cache > forward packet > else > found = lookup 4 tuple in reassembly cache > if found > forward packet > else > buffer packet The only addition to the pseudocode above is to timeout the cache entries based on the “expected reordering” (see RFC 6864). That timeout performs the same function as the TCP cache entry timeout in those NATS/firewalls. For TCP, a FIN-ack or ack after FIN (depending on who closes the connection) can flush the entry before a timeout. For fragment reassembly, the middle box CAN keep track of the fragments seen and flush the entry when a complete “virtually reassembled” packet is seen, but that’s probably overkill vs. a simple timer (actually, a packet count can suffice). Joe
_______________________________________________ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area