Mikael Olsson wrote:
>
> Paul Cardon wrote:
> >
> > Yup. As Lance's experiments with FW-1 point out, current stateful
> > filtering firewalls still make forwarding decisions based on the current
> > packet and state saved from previous packets. Fragment and TCP stream
> > reassembly are not performed.
>
> *ahem* I beg to differ. I know of at least _ONE_ that does fragment
> reassembly. (I wrote the reassembly algorithm; I ought to know).
> Although granted, I obviously don't work at checkpoint :-)
Well, that's one more than I knew about. Sounds like I at least need to
do some reading on Enternet if not play with it at some point.
Question. Do you then pass the original fragments or the result of the
reassembly?
> > Unfortunately that would introduce latency that stateful filtering
> > vendors are trying to avoid.
>
> Yes, but this is not the normal case. The normal case is to receive
> fragments and TCP segments in-sequence, which would not introduce
> any extra latency. If things are arriving out-of-sequence, you'd
> end up buffering things, but if you want to protect against a number
> of attacks (as firewalls are supposed to do!) you have to buffer.
Yeah. I should have thought that through better. The end station isn't
going to be able to do anything until it receives all the fragments
anyway.
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
