On 02/08/2016 05:09 PM, Mark Andrews wrote: > In message <BLUPR05MB1985F5F2BB3118362C67B921AED50@xxxxxxxxxxxxxxxxxxxxxxxxxxx. > outlook.com>, Ronald Bonica writes: >> Hi Alexey, >> >> This question comes up every few years. The short answer is: >> >> >> - The vast majority of Internet traffic rides over TCP or UDP >> >> - Generally speaking, traffic that rides over TCP does not rely >> on IP fragmentation >> >> - However, traffic the rides over UDP absolutely relies on IP >> fragmentation >> >> So, as things stand, IP fragmentation is required to support UDP. >> However, the conversation doesnt end at that. >> >> Operational experience has taught us that IPv6 fragmentation does not >> work so well. Unlike IPv4, IPv6 encodes fragmentation information in an >> IPv6 extension header. Sadly, many operators discard packets containing >> that extension header. So, as specified, IPv6 provides fragmentation >> services, but as deployed, it does not. > > Actually fragmentation works well unless you have a firewall that > drops fragments. When they are not being deliberately blocked the > packets get through and are reassembled. It is also not many > operators. It is some operators. > > Additionally there is zero reasons why firewalls can't open <src, > dst, frag offset != 0> when they open <src, dst, proto, src port, > dst port> for reply traffic for those that are paranoid about just > letting all non-zero fragment offset through. I just let the > non-zero offset fragments through. If and only if the packets do not employ other EHs and all the nodes behind the fw implement RFC5722... -- Fernando Gont SI6 Networks e-mail: fgont@xxxxxxxxxxxxxxx PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492