Re: Fragmentation

Paul D. Robertson Thu, 13 Sep 2001 05:52:12 -0700
On 13 Sep 2001, Mohamed  Maraikayar wrote:

> A basic doubt,Many places i have read,if a packet is fragmented to a
> tiny packet, routers and many firewalls allow to pass through.My doubt

Fragments themselves- so long as they're big enough to contain the full IP
header AND that its offset is past the start of the IP header (there's an
RFC, searching for it is left as an exercise to the reader) that isn't the
general problem with fragments...

> is if the router or firewall recievs a packet ,from that if it could
> not make out where this packet is going ,it should drop by acess-lists

Not making out where it's going is about making sure it's long enough
*and* that the Fragment Offset is past the end of the header.  That
doesn't however solve all our problems with fragments.

> or rule base.As when we configure a access-list ,it means only packets
> configured to pass are only allowed.similarly in firewalls ,by default
> all traffic comming to inside network is dropped.then how could a
> fragmented packet traverse? what is the difference between a big

There used to be signficant problems with FO=0 packets, I think most
everyone has solved those by now.

> packet and a fragmented tiny packet?Also i learned somewhere ,routers
> and firewall virtually reassemble the packet. thanks mohamed.

Routers *do NOT* reassemble fragments, they forward packets.  Inspection
at a router would be pretty expensive resource-wise.  Proxy-based
firewalls, of course handle fragments by whatever rules their stacks use-
the problem with packet filters is that you have to be able to do
something with out-of-order fragments, as well as overlapping fragments.
That's not generally part of simple packet filters like routers, but parts
of it may be instituted in packet filtering firewalls.  

One of the big problems with IDS systems is that they never know how a
particular host will do reassembly, so sending conflicting fragments can
mask an attack in some instances.

Paul
---------------------------------------------------------------------------
Paul D. Robertson          #rm -rf /bin/laden
[EMAIL PROTECTED]     

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
Re: Fragmentation

Reply via email to
