Firewalls: Re: Filtering fragmented IP frames

Firewalls
(December 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Filtering fragmented IP frames
From:	Darren Reed <avalon @ coombs . anu . edu . au>
Date:	Fri, 8 Dec 1995 23:33:43 +1100 (EDT)
To:	alexf @ is . net (Alex Filacchione)
Cc:	pdrolet @ CyberSecure . Com, firewalls @ GreatCircle . COM
In-reply-to:	<Pine . LNX . 3 . 91 . 951207140914 . 644F-100000 @ mrdata . is . net> from "Alex Filacchione" at Dec 7, 95 02:14:27 pm

In some mail from Alex Filacchione, sie said:
[...]
> This leads me to something else...
> 
> Anyone know which software will let you (all?   None?) assemble the 
> fragmented packets AT the firewall (in a cache of sorts) or gateway, and 
> then examine them and subject them to normal filtering rules?

Packet filters (ie routers) should not be trying to reassemble packets.

Problem: two routers are passing packets to each other and have n-1 fragments
in their cache and their buffers are full.  They can't dequeue all the
fragments because they don't have them all.  It is well known if you send
a machine too many fragments, it'll lock up (run out of buffer space),
why make it worse fo routers ?

darren

References:

Re: Filtering fragmented IP frames
From: Alex Filacchione <alexf @ is . net>

Indexed By Date	Previous:	Pre-forking Proxies? From: Gavin Aiken <gavin @ theboard . reednews . co . uk>
Indexed By Date	Next:	Re: Remote dialin IP encryption products? From: Darren Reed <avalon @ coombs . anu . edu . au>
Indexed By Thread	Previous:	Re: Filtering fragmented IP frames From: Alex Filacchione <alexf @ is . net>
Indexed By Thread	Next:	Re: Filtering fragmented IP frames From: paul @ alantec . com (G. Paul Ziemba)