[Jool-list] SIIT fragmentation header translation
Alberto Leiva
ydahhrk at gmail.com
Wed Feb 15 13:57:36 CST 2017
> Quite. Also, https://tools.ietf.org/html/rfc7915#section-1.2 says in no
uncertain terms: «Fragmented ICMP/ICMPv6 packets will not be translated
by IP/ICMP translators.»
Hmm. What curious phrasing. Then, now that you mention it, NAT64 Jool
appears to be breaking this requirement.
Although I'm lost as to why would NAT64 Jool not want to translate
these packets. The pseudoheader can be added and removed in O(1) time.
As far as security is concerned, I don't see ICMP fragments being any
more of a risk than TCP/UDP fragments.
Maybe it was intended to refer to SIIT only?
Alberto
On Wed, Feb 15, 2017 at 1:26 PM, Tore Anderson <tore at fud.no> wrote:
> * Alberto Leiva
>
>> We choose to live with this because fragmented pings are not very
>> important Internet traffic.
>
> Quite. Also, https://tools.ietf.org/html/rfc7915#section-1.2 says in no
> uncertain terms: «Fragmented ICMP/ICMPv6 packets will not be translated
> by IP/ICMP translators.»
>
> Tore
More information about the Jool-list
mailing list