Hi Arnaud,
Thanks for your comments. Please find responses inline.
On 20/05/09 03:31 PM, Arnaud Ebalard wrote:
The TCP header has the following values of the flags S(YN)=1 and
A(CK)=1. This makes an inspecting stateful firewall think that it is
I would say "This may make". If the initial rule for the creation
of the state specifically require S=1 and A=0, that trick will not
work. It basically depends on the default behavior of the firewall
for the creation of the state and on the specific content of the
ruleset. Netfilter (Linux fw) allows to specify that.
Sounds good. I will make this change.
a response packet for a connection request initiated from the trusted
side of the firewall. Hence it will allow the fragment to pass. It
will also allow the following fragments with the same Fragment
Identification value in the fragment header to pass through.
A malicious node can form a second fragment with a TCP header that
changes the flags and sets S(YN)=1 and A(CK)=0. This would change
This may change
Here, It depends on the behavior of the remote host: if it consider
prefers first data, this will not work.
OK.
4. Recommendation
IPv6 nodes transmitting datagrams that need to be fragmented MUST NOT
create overlapping fragments. IPv6 nodes that receive a fragment
that overlaps with a previously received fragment MUST cease the
reassembly process and MUST discard the previously received fragments
with the same IPv6 Source Address, IPv6 Destination Address and
Fragment Identification.
Simple, efficient. Should have been the default in RFC 2460.
Sounds good.
Thanks
Suresh
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
