Mark Andrews wrote: >> Remember, with IPv6, the firewall can't fragment the reassembled >> packets. So, no, unless the firewall output reassembled packets, >> which may be larger than MTU of an outgoing link, it is not "act >> like that's what's happening". > > The key words were "act like that's what's happening". You can > hold fragments until you see the first fragment, check it, then > release all matching fragments. Thus, a set of packets are investigated and there is no reassembly happening. It is merely that some firewalls sometimes change filtering behavior by investigating a set of packets (like snooping ftp command stream to open data port, which no one call virtual TCP streaming), regardless of whether the packets are fragments of a packet or not. > You can virtually reassemble all > the fragments then release them all if you need to see the entire > packet. There has never been a need to throw away all fragments. Ok, ok. Though something you call "virtual reassembly" is not reassembly at all, its processing cost is equivalent to real reassembly. That is, you are saying fragmentation and reassembly are so easy that there is no need to avoid them. So, let's revise IPv6 and use fragmentation everywhere. There has never been a need for impossible PMTUD. > Only poor purchasing decisions causing everyone else to have to > work around them. It is caused primarily by stupid design of IPv6. Masataka Ohta