NAPT & IP Fragments

[DJFuji]

Question:
What crucial information used by NAPT is not available in most IP fragments?

Am I right in saying protocol port numbers? Because an IP Datagram contains IP addresses but not port numbers...

Or am I off in left field here?

 

[Nothinman]

http://www.zvon.org/tmRFC/RFC3022/Output/chapter6.html

 

[DJFuji]

Gotcha. Thanks.

 

[cmetz]

DJ Fuji, it's possible to create an IP packet that is a fragment at offset 0 with more fragments set that does not have the full UDP or TCP header. Such a packet is not legitimate and should just be dropped - which is what most NAT, PAT, or firewall devices do.

Now, for fragments at offset >0, PAT has a problem because there's no copy of the UDP or TCP header in those fragments, only the offset 0 fragment (except as above). Which means the PAT can't demux the packet to a flow state unless it holds the fragment and reassembles the IP packet. Which is what most (all?) PAT devices do.