netdev
[Top] [All Lists]

Re: IPv6 fragmentation and IPv6 header parsing

To: netdev@xxxxxxxxxxx
Subject: Re: IPv6 fragmentation and IPv6 header parsing
From: Brad Chapman <kakadu@xxxxxxxxxxxxx>
Date: Mon, 30 Jul 2001 13:21:00 -0400
References: <3B64B076.6090709@xxxxxxxxxxxxx> <20010729212317.I1486@xxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-netdev@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux 2.4.7 i586; en-US; C-UPD: MaxLinux0301) Gecko/20001107 Netscape6/6.0
Harald Welte wrote:

On Sun, Jul 29, 2001 at 08:55:18PM -0400, Brad Chapman wrote:

Everyone,

   I am currently completing a port of the Netfilter connection
tracking subsystem from IPv4 to IPv6. Most of the features in this
port are complete, except for fragment handling, which is non-
existent. I am also not entirely sure about how to properly parse
header chains and extract various extension and layer-4 headers
for use by the connection tracking subsystem. Enclosed with this
message are my current efforts regarding IPv6 fragmentation and
IPv6 header chain parsing.


I'm not sure if your 1:1 attempt of a port is a good idea.

In IPv6, routers do not fragment packets at all.
This clashes with the current way how connection tracking for IPv4 is
implemented in netfilter (defrag at input, refrag at output).

so, don't try to add fragmentation support to the core (nobody will include
it anyway, i guess), but try to implement a connection tracking which works
without that defrag-refrag need.

Brad

Mr. Harald,

(if you get this, Mr. Harald, its because I mispelled `netdev' and deleted
   the original message)

Well, okay. I thought about the possiblity of violating the RFCs, and at first I stayed away from attempting to add IPv4-style fragment support. But, TBH, there
are really three different things that can be done with this issue:

  1. Ignore all fragments, and NF_DROP fragmented packets. Period. This one
     is probably the most RFC-compliant.

2. Copy packets, hold originals, and push copies into connection tracking system.
      This one sounds kludgy and bloaty and violates RFCs.

3. Rewrite _everything_ to deal with fragmented packets. TBH, that's scary.

If given a choice, and told that defragging/refragging packets on the fly violated
the RFCs, I would probably choose the first option above.

  BTW, what about header chain parsing? Am I doing that right?

Brad


<Prev in Thread] Current Thread [Next in Thread>