I discussed this issue with a couple of the principal developers a while
back after the same thought occurred to me. :-)
(I was primarily concerned about the IP fragmentation attack possibilities.)
In any event, we do go into each packet far enough to ascertain certain
bit flag status to prohibit this type of attack.
- paul
At 09:48 PM 9/19/96 GMT, gary flynn wrote:
>I've been researching a router upgrade and was trying to find out
>where access lists were processed on Cisco's new routers with
>VIP2 interfaces. In reading about their Netflow switching
>feature, I found the following referring to the processing
>of access lists:
>
>"With Netflow Switching, only the first packet in a flow follows
>this process. If the first packet in a flow passes through these
>filters, an entry is added to the Netflow Switching cache. Subsequent
>packets in the same flow are then switched based on this cache
>entry, without needing to be matched against the complete set of
>access lists."
>
>Has anyone analyzed the security implications of this when the
>router is being used in a firewall application? It sounds great
>for performance but off-hand, it also sounds like there is room
>for abuse. I guess it all depends upon what the definition of
>"flow" is and what is stored in the cache.
>
>(What I was really hoping was that the VIP2 boards processed
>the access filters rather than the main CPU. Oh well.)
>
>--
>Gary Flynn
>Network Manager
>James Madison University
>Harrisonburg, Virginia
>gary @
habanero .
jmu .
edu
>
--
Paul Ferguson || ||
Consulting Engineering || ||
Reston, Virginia USA |||| ||||
tel: +1.703.716.9538 ..:||||||:..:||||||:..
e-mail: pferguso @
cisco .
com c i s c o S y s t e m s
|
|
