paul,
thanks for the perspective and the info. on the whole, it clarifies
things considerably.
i did want to comment a bit with this para:
> Fragment reassembly has proven to be a weak point in stacks. In this
> specific point, Checkpoint was trying to do some virtual fragment
> reassembly and messed it up. Reassembling fragments at the border is
> probably a good protective measure, but may break some things. Like ICMP
> blocking breaking PMTU, it's difficult for a novice administrator to
> determine how or what got broken when it's implemented.
>
> Paul
while it is empirically true that fragmentation (or more specifically
reassembly of fragments) has been a weak point in IP stacks, it really
shouldn't be.
RFC815 outlines a very clear and very simple algorithm for correct (and
efficient) reassembly. it could be further optimized to support
reverse-order fragments (by writing over the headers of the previously
received fragment in-place, thereby saving copies and hassle). the key
idea is: keep track of what you're missing, not what you've got. RFC815,
correctly implemented, would have easily withstood the land attacks of a
couple of years ago. (and the damned rfc dates from 1988, so no good
reason to have not done it by now!).
the only vendor/stack that i know of that has implemented it is cisco
(they claim as of 11.3 IOS--no code so no proof). in linux's ip_input.c
there's a comment asking for someone to implement it (if i understood the
kernel a bit better i would just do it--maybe i will some day anyway).
anyway, i just wanted to take a bit of air out of the widely believed myth
that reassembly has to be hard.
todd
=========================================================
Todd Underwood, [EMAIL PROTECTED]
criticaltv.com criticalfashion.com
news, analysis and criticism. about tv. about fashion.
and other stuff.
=========================================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
