Firewalls: Re: packet is too small

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: packet is too small
From:	Ian Miller <firewalls @ scientia . com>
Date:	Wed, 25 Jun 1997 17:50:22 +0100
To:	<firewalls @ greatcircle . com>

At 11:57 25/06/97 -0400, you wrote:
>In what way is the solution in RFC 1858 flawed?  
>
It states (section 3.2.2) "The indirect method relies on the observation
that when a TCP packet is fragmented so as to force 'interesting' header
fields out of the zero-offset fragment, there must exist a fragment with FO
equal to 1."

This is "observation" true where the fragments have been generated from a
complete packet by a spec. conforming IP stack.  However this isn't
necessarily true of a hacked IP stack.  As such it is unsafe to rely on this.  

>Is there a discussion of this anywhere I could look at?
Archives of this list, March 1996, subject "IP fragmentation attacks".

Ian

Indexed By Date	Previous:	Re: 33xxx Ports From: "This guy here at this system..." <morrison @ ladyred . rsoc . rockwell . com>
Indexed By Date	Next:	Checkpoint FW1 resources From: Jay Aho <jaya @ netrex . com>
Indexed By Thread	Previous:	Re: packet is too small From: "Eric V. Smith" <EricSmith @ windsor . com>
Indexed By Thread	Next:	Re: packet is too small From: drexx @ pspi . com . ph (Drexx Laggui)