In some mail from Dave Mischler, sie said:
>
> > This isn't quite true. Unless the product implments some type of frag
> > cache and only pass fragment trailers matching a passed fragment header,
> > it's still possible to use the fragment overlay attack.
>
> You're absolutely right. I have to point out though, that any product
> that translates IP addresses and/or port numbers must either reassemble
> fragments or maintain a fragment cache or the fragments can't be delivered
> to the correct internal address and port.
I've given this some thought, and it isn't quite correct.
Translating port numbers is best solved using a proxy (circuit relay).
However, the case for IP#s is different. The packet (and all its fragments)
are uniquely identified within a given time span by
(source ip, destination ip, id#). It should not be necessary to maintain a
fragment cache for translating IP#s.
But it any case, it doesn't matter whether there is a cache or not, if the
reassembly routine is wrong, a fragment can overwrite previous data and
invalidate it (and your filter results).
darren
|
|
