On 02/09/2013 04:57 AM, Brian E Carpenter wrote: >> Something that might make sense is to specify something along the lines >> of "if the size of the upper layer header is unknown (say, the upper >> layer protocol is implemented as a loadable module, in userland, or the >> like). >> >> Thoughts? > > If you specify a minimum of 8 bytes that would cover most cases, wouldn't it?
Not really. Firewalls look at many fields in the layer-4 headers -- and such stuff can be past the first 8 bytes. e.g. OpenBSD PF looks at stuff such as the initial TCP window for passive OS fingerprinting, such that you can filter based on the OS type. For instance, the ability to look at the TCP flags is mandatory for most firewalls. > I don't think you will find much enthusiasm among coders for a case statement > that adjusts the number of bytes according to the layer 4 protocol. There are a number of places where this could be taken care of: * The IPv6 layer, with a case statement (as you describe) -- there are not that many upper-layer protocols, anyway. * The transport layer (where you know the MTU, and you know how many bytes you're sending down the stack * The user application (If you're going to insert extension headers, do the math and make sure all the headers make it into the first fragment) If we fail to include critical information in the first fragment, such traffic will be dropped even more than it currently is. Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
