Hi Fernando, On 06/27/2012 10:46 PM, Fernando Gont wrote: > On 06/27/2012 10:34 PM, Suresh Krishnan wrote: >> >> I read through the draft and I am generally supportive of the sentiment >> behind the draft. But the draft itself is not at all clear on what >> constitutes a "entire IPv6 header chain". Without this, I think the >> draft in its current form is not actionable. > > I simply disagree. While I have no objection with including "a crisper > definition of what 'entire IPv6 header chain'", I think claiming that > "the draft in current for is not actionable" is taking it way too far. > For instance, a bunch of people clearly understood what the document is > talking about -- with the entire IPv6 header chain being all headers > from the fixed IPv6 header chain, till the upper layer protocol (TCP, > UDP, etc. -- assuming there's one of those), including any extension > headers.
This description works for me. Just put it in the draft and we are all set. > > > >> I would like a crisper >> definition of what exactly is the expected behavior on sending, >> receiving and intermediate nodes > > Essentially, what is important is the sending behaviour: You must > include the entire IPv6 header chain in the first fragment. Intermediate > nodes may simply forward non-compliant packets, but may also decide to > drop them -- ditto for end nodes. I asked because there is a legitimate problem that you raise in Section 4 "However, if the first fragment fails to include the entire IPv6 header chain, they may have no option other than "blindly" allowing or blocking the corresponding fragment. If they blindly allow the packet, then the firewall can be easily circumvented by intentionally sending fragmented packets that fail to include the entire IPv6 header chain in the first fragment." but the draft does nothing to mitigate this issue. Thanks Suresh -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
