On Thu, Feb 11, 2016 at 12:58 PM, Joe Touch <touch@xxxxxxx> wrote: > > > On 2/11/2016 6:05 AM, Masataka Ohta wrote: >> Joe Touch wrote: >> >>> I repeat: nodes that encap or decap are acting as sources or sinks, not >>> relays. >> >> I'm afraid firewalls are relays. > > A firewall that filters on L3 is a router regardless of which side you > look at. Using 'layers' to describe Internet architecture can be very misleading because the Internet isn't layered according to the ISO model and the layers don't necessarily stack up the way people expect once tunneling is involved. For example, if I have an SSH channel to a system (or a TLS firewall), I have a transport layer protocol that is presenting a packet layer interface. So if we number the layers, we have 1, 2, 3, 4, 5, 3 [4, 5, 7]. One of the things I learned early on programming Microsoft BASIC was to not use sequential line numbers. And I was really glad to get rid of line numbers when I moved to machines with decent amounts of RAM. Seems to me that the numbered layer model confuses rather than clarifies and especially so when tunneling is being discussed. A tunnel should be a tunnel. If you fragment at the tunnel ingress, you should defragment at the egress. Otherwise you are simply pushing your state maintenance requirements onto the receiving endpoint in a way that isn't scaleable.