Hi, Joel, On 10/04/2012 10:58 AM, joel jaeggli wrote:
So the thing I'd note is that stateless IPV6 ACLs or load balancing provide you with an interesting problem since a fragment does not contain the headers beyond the required unfragmentable headers.
In the real world, such packets are not legitimate, so feel free to drop them. draft-ietf-6man-oversized-header-chain formally addresses this issue.
Likewise with the acl I have the property that the initial packet has all the info in it while the fragment does not.
You're talking about initial-fragment vs non-initial fragments? -- If so, in theory *both* might be missing the upper layer information. IN practice, the first-fragment won't. If it does, feel free to drop it. Cheers, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1