Why do we still need IPv4 when we are migrating to IPv6...
Phil Mayers
p.mayers at imperial.ac.uk
Fri Feb 13 15:12:31 CET 2015
On 13/02/15 13:27, Mikael Abrahamsson wrote:
> Packet reaches HGW2, which has no flow state, and is dropped. ICMP error
> message might be created.
> In case of ICMP error message, U1 should ignore this.
That's an application-layer issue. It all depends on how they're talking
to the socket API. They might not even see the ICMP error if they're
just doing dumb send() calls.
> U2 sends a packet from U2IP,U2PORT to U1IP,U1PORT.
> HGW2 creates flow state.
> Packet hits HGW1 which already has a flow state, and packet successfully
> reaches U1.
> U1 now can start sending packets to U2 as well and they've worked around
> both of them having HGWs with stateful firewalls disallowing new
> connections to them.
>
> Right?
Yes.
>
> The crucial step here seems to be the fact that initial packets might be
> dropped and error messages be generated, but these should be ignored by
> the application. Is this commonplace? Is it a problem at all?
As above, depends on how they're using the socket API. As a rule for UDP
connections, you actually have to put *more* work in to see ICMP errors.
It's certainly possible to ignore them.
More information about the ipv6-ops
mailing list