Virtual reassembly means “forwards *as if* reassembled”, without actually
reassembling. It’s actually not all that much different from the way NATs or
unidirectional firewalls work for TCP.
On Feb 1, 2019, at 12:42 AM, Ole Troan <otr...@employees.org> wrote:
>
> if first fragment in chain
> found = lookup 4 tuple in reassenbly cache
> if found
> forward buffered packets
> else
> create session state entry in reassembly cache
> forward packet
> else
> found = lookup 4 tuple in reassembly cache
> if found
> forward packet
> else
> buffer packet
The only addition to the pseudocode above is to timeout the cache entries based
on the “expected reordering” (see RFC 6864). That timeout performs the same
function as the TCP cache entry timeout in those NATS/firewalls.
For TCP, a FIN-ack or ack after FIN (depending on who closes the connection)
can flush the entry before a timeout. For fragment reassembly, the middle box
CAN keep track of the fragments seen and flush the entry when a complete
“virtually reassembled” packet is seen, but that’s probably overkill vs. a
simple timer (actually, a packet count can suffice).
Joe
_______________________________________________
Int-area mailing list
Int-area@ietf.org
https://www.ietf.org/mailman/listinfo/int-area
