Lance Spitzner wrote:
>
> Mikael, before we flame Checkpoint, keep in mind they are following
> RFC. The end host, and not intermediary routers, are supposed to
> preform packet reassembly [Stevens, 11.5].
Yes, but according to those (firewall-unaware) RFCs, routers aren't
supposed to look past the checksum and the destination IP, either.
And they definately should NOT drop packets, and even if they
do for some reason, they should always send ICMP Unreachables.
(Not to mention fiddling with protocols above IP.)
:-)
I'd say "roast 'em over a slow burning bed of coals" if they
aren't doing (pseudo)reassembly because there's been so many
problems with illegal fragments that by now the need for it
should be patently obvious.
> Whooh, looks like I did a bad job of my description. The initial
> packet needs to be at least 24 bytes in legnth. If the last
> Fragmented packet is 8 bytes, it will still be accepted.
Ah, *that's* another story. I agree that the first fragment
should cover complete TCP headers (even though it violates
RFC a bit). The fact that 24 isn't enough for a TCP header
with many options is another story. Have you checked what
happens if you try to fragment a really large TCP header?
> I defintely need to do more testing before I can confirm any
> of this.
Please do, I'd be very interested in reading what your findings are.
Regards,
Mikael
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
