Thanks to all.
mohamed.
On Thu, 13 Sep 2001 Paul D. Robertson wrote :
>On 13 Sep 2001, Mohamed Maraikayar wrote:
>
>> A basic doubt,Many places i have read,if a packet is
>fragmented to a
>> tiny packet, routers and many firewalls allow to pass
>through.My doubt
>
>Fragments themselves- so long as they're big enough to
>contain the full IP
>header AND that its offset is past the start of the IP
>header (there's an
>RFC, searching for it is left as an exercise to the
>reader) that isn't the
>general problem with fragments...
>
>> is if the router or firewall recievs a packet ,from
>that if it could
>> not make out where this packet is going ,it should
>drop by acess-lists
>
>Not making out where it's going is about making sure
>it's long enough
>*and* that the Fragment Offset is past the end of the
>header. That
>doesn't however solve all our problems with fragments.
>
>> or rule base.As when we configure a access-list ,it
>means only packets
>> configured to pass are only allowed.similarly in
>firewalls ,by default
>> all traffic comming to inside network is dropped.then
>how could a
>> fragmented packet traverse? what is the difference
>between a big
>
>There used to be signficant problems with FO=0 packets,
>I think most
>everyone has solved those by now.
>
>> packet and a fragmented tiny packet?Also i learned
>somewhere ,routers
>> and firewall virtually reassemble the packet. thanks
>mohamed.
>
>Routers *do NOT* reassemble fragments, they forward
>packets. Inspection
>at a router would be pretty expensive resource-wise.
>Proxy-based
>firewalls, of course handle fragments by whatever rules
>their stacks use-
>the problem with packet filters is that you have to be
>able to do
>something with out-of-order fragments, as well as
>overlapping fragments.
>That's not generally part of simple packet filters like
>routers, but parts
>of it may be instituted in packet filtering firewalls.
>
>One of the big problems with IDS systems is that they
>never know how a
>particular host will do reassembly, so sending
>conflicting fragments can
>mask an attack in some instances.
>
>Paul
>---------------------------------------------------------
>-------------------
>Paul D. Robertson #rm -rf /bin/laden
>[EMAIL PROTECTED]
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls