On 02/09/2013 08:11 AM, Brian E Carpenter wrote: > On 09/02/2013 09:11, Fernando Gont wrote: >> >> Not really. Firewalls look at many fields in the layer-4 headers -- and >> such stuff can be past the first 8 bytes. e.g. OpenBSD PF looks at stuff >> such as the initial TCP window for passive OS fingerprinting, such that >> you can filter based on the OS type. For instance, the ability to look >> at the TCP flags is mandatory for most firewalls. > > But the job of this draft is to specify the "on the wire" behaviour of a > sending host.
Exactly: And it requires to include all header up to the entire layer-4 header. > To do that, as far as I can see, you have specify how many > bytes of the transport header MUST be in the first fragment. Does it include > TCP options, for example? Yes. TCP options are part of the TCP header... so they should be there. The short story is: all sort of devices are used to look at the layer-4 header. Legitimate traffic won't have the ipv6 header chain spanning multiple fragments. So such packets will be dropped. We need to flag them as appropriate, such that folks that might possibly send those packets are aware that those packets won't probably survive in the network. Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
