On 2/11/2016 12:54 PM, Masataka Ohta wrote: > Joe Touch wrote: ... >> So yes, a firewall that inspects L4 or encap/decaps either needs to >> reassemble fragments or act like that's what's happening (e.g., to >> retain a copy of the first fragment of a set to direct later fragments >> within that set). > > Remember, with IPv6, the firewall can't fragment the reassembled > packets. Routers shouldn't reassemble, but then routers aren't supposed to look beyond L3. You cannot have it both ways. Once you inspect L4, you *are* acting as a host. As Mark pointed out, you don't need to strictly reassemble (i.e., to emit a corresponding reassembled packet). You just need to reassemble the information. > So, no, unless the firewall output reassembled packets, > which may be larger than MTU of an outgoing link, it is not "act > like that's what's happening". As Fred pointed out, existing devices already emulate reassembly without emmitting the reassembled result. -- Remember too, that if the firewall is "translating" the headers it ends up completely acting as a host - because it sources IP packets with its own IP addresses. In that case, it can apply source fragmentation. Yes - this also means that a firewall that changes headers needs to assign new, unique ID values for any fragmented packets too. And it needs to act as a terminus for ICMP PTB errors to adjust its fragmentation size. Again, the model leads you to the correct conclusions. Joe