Re: Re: Fragmentation

Mohamed Maraikayar Thu, 13 Sep 2001 06:42:07 -0700
Thanks to all.
mohamed.

On Thu, 13 Sep 2001 Paul D. Robertson wrote :
>On 13 Sep 2001, Mohamed  Maraikayar wrote:
>
>> A basic doubt,Many places i have read,if a packet is 
>fragmented to a
>> tiny packet, routers and many firewalls allow to pass 
>through.My doubt
>
>Fragments themselves- so long as they're big enough to 
>contain the full IP
>header AND that its offset is past the start of the IP 
>header (there's an
>RFC, searching for it is left as an exercise to the 
>reader) that isn't the
>general problem with fragments...
>
>> is if the router or firewall recievs a packet ,from 
>that if it could
>> not make out where this packet is going ,it should 
>drop by acess-lists
>
>Not making out where it's going is about making sure 
>it's long enough
>*and* that the Fragment Offset is past the end of the 
>header.  That
>doesn't however solve all our problems with fragments.
>
>> or rule base.As when we configure a access-list ,it 
>means only packets
>> configured to pass are only allowed.similarly in 
>firewalls ,by default
>> all traffic comming to inside network is dropped.then 
>how could a
>> fragmented packet traverse? what is the difference 
>between a big
>
>There used to be signficant problems with FO=0 packets, 
>I think most
>everyone has solved those by now.
>
>> packet and a fragmented tiny packet?Also i learned 
>somewhere ,routers
>> and firewall virtually reassemble the packet. thanks 
>mohamed.
>
>Routers *do NOT* reassemble fragments, they forward 
>packets.  Inspection
>at a router would be pretty expensive resource-wise.  
>Proxy-based
>firewalls, of course handle fragments by whatever rules 
>their stacks use-
>the problem with packet filters is that you have to be 
>able to do
>something with out-of-order fragments, as well as 
>overlapping fragments.
>That's not generally part of simple packet filters like 
>routers, but parts
>of it may be instituted in packet filtering firewalls.  
>
>One of the big problems with IDS systems is that they 
>never know how a
>particular host will do reassembly, so sending 
>conflicting fragments can
>mask an attack in some instances.
>
>Paul
>---------------------------------------------------------
>-------------------
>Paul D. Robertson          #rm -rf /bin/laden
>[EMAIL PROTECTED]     
>


 



_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
Re: Re: Fragmentation

Reply via email to
