No harm, no foul (except my butchered spelling of velour). =-)
> Would this mean that the proof-of-concept code only works with NICs
> that do checksumming of their own? (That would have been nice to know)
No. The code still works with a checksum of 0 without a checksumming
NIC. It was just easier to write the code with an ip checksum of 0 rather
than going through the expense of actually calculating it.
> Fact: Firewalls that do not verify the integrity of fragments cannot
> protect against fragmentation attacks. If you allow fragments through
> out of order, you cannot possibly verify their integrity.
Well, you can, to a point. If you're keeping track of fragment info, you
can still verify the integrity of all the pieces that have passed, and if
a fragment comes in (in whatever order) that would create an invalid
packet when reassembled, you should be able to reject the fragment
then. I don't believe IP requires the fragments to be in order either, so
firewalls should be dealing with the possibility that fragments will
arrive out of order.
Spammy? Perhaps. A good discussion nonetheless.. you don't see
fragmentation too often, so people may be forgetting how they're supposed
to deal with it.
.phonix.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
