Hello, I have a couple of comments regarding the text about stateless firewalls.
>From the Section 4.3: "Because port information is not available in the trailing fragments the firewall is limited to the following options: o Accept all trailing fragments, possibly admitting certain classes of attack. o Block all trailing fragments, possibly blocking legitimate traffic." There seems to be a third option described in RFC1858. "Fortunately, we do not need to remove all fragments of an offending packet. Since "interesting" packet information is contained in the headers at the beginning, filters are generally applied only to the first fragment. Non-first fragments are passed without filtering, because it will be impossible for the destination host to complete reassembly of the packet if the first fragment is missing, and therefore the entire packet will be discarded." >From the section 4.6 of the draft: "A stateless firewall cannot protect against the overlapping fragment attack." Isn't this addressed in RFC1858 and RFC5722? (e.g. "4.2 Prevention of the Overlapping Fragment Attack" is a section in RFC1858). Tom _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
