2000-04-23-17:54:52 Dave Carmean:
> How much packet fragmentation do folks see in "normal" Internet
> traffic? I.e. where path-MTU discovery hasn't been broken, etc.
> In other words: what should I expect if I were to simply disallow all
> inbound fragments?
If you were to simply disallow all inbound fragments, you'd see
broken traffic coming from servers that _don't_ attempt path MTU
discovery, if any MTU along the way is smaller than the first hop.
> Also, at a BayLISA meeting last week, Brent mentioned something about
> fragmentation being used to bypass packet filtering by somehow re-writing
> part of the header during reassembly, [...]
It's a worry.
I like using firewalls that reassemble all packets; that removes
that worry altogether. I haven't heard of a case where it's a good
idea to allow fragments to traverse a firewall.
-Bennett
PGP signature
