Hi, Suresh, Thanks so much for yur feedback! -- Please find my comments in-line...
On 06/30/2012 02:48 AM, Suresh Krishnan wrote: >> I simply disagree. While I have no objection with including "a crisper >> definition of what 'entire IPv6 header chain'", I think claiming that >> "the draft in current for is not actionable" is taking it way too far. >> For instance, a bunch of people clearly understood what the document is >> talking about -- with the entire IPv6 header chain being all headers >> from the fixed IPv6 header chain, till the upper layer protocol (TCP, >> UDP, etc. -- assuming there's one of those), including any extension >> headers. > > This description works for me. Just put it in the draft and we are all set. Ok, great! >> Essentially, what is important is the sending behaviour: You must >> include the entire IPv6 header chain in the first fragment. Intermediate >> nodes may simply forward non-compliant packets, but may also decide to >> drop them -- ditto for end nodes. > > I asked because there is a legitimate problem that you raise in Section 4 > > "However, if the first > fragment fails to include the entire IPv6 header chain, they may have > no option other than "blindly" allowing or blocking the corresponding > fragment. If they blindly allow the packet, then the firewall can be > easily circumvented by intentionally sending fragmented packets that > fail to include the entire IPv6 header chain in the first fragment." > > but the draft does nothing to mitigate this issue. Well, the problem *was* that at least in theory such packets could exist in practice. Now that we'll ban those packets, then a middle-box is free to drop first-fragments that fail to include the entire IPv6 header chain, since those packets are illegitimate in the first place (i.e., problem solved!). (Note: such packets have not been found in real networks, and middle-boxes area already dropping them -- hence we're aligning the specs with the real-world). Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------