In message <[email protected]>, "Tony Hain" writes: > Antonios Atlasis wrote: > ... > > Again, generally speaking (and not just for SEAL) RFC 5722 "allows" > > the abuse of its recommended policy for launching DoS attacks (a > > single overlapping fragment will result in discarding a whole > > datagram). On the contrary, if only the overlapping fragment is > > discarded, at least DoS will be slightly more difficult. > > DoS is more difficult, but packet hijack is easier. All an attacker needs > to do is inject a set of fragments before the next one from the source to > cause it to appear to be an overlap and rejected. Once the attacker can get > the real fragments rejected as overlaps, the rest of the packet is filled > with bogus attack fragments. Wouldn't it have been better to drop the whole > datagram? DoS is a problem, but undetected malicious data is worse.
Then add a cryptographic checksum of the original packet when fragmenting. 48 bits in a HBH should be enough. > Tony > > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > [email protected] > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
