Great Circle Associates Firewalls
(September 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: packet fragmentation attacks & ip-route caching
From: Darren Reed <avalon @ coombs . anu . edu . au>
Date: Mon, 22 Sep 1997 09:04:59 +1000 (EST)
To: lists @ lina . inka . de (Bernd Eckenfels)
Cc: marek @ corpus . cz, firewalls @ GreatCircle . COM
In-reply-to: <m0xCTVu-00014SC @ lina . inka . de> from "Bernd Eckenfels" at Sep 20, 97 07:40:12 pm 
In some mail from Bernd Eckenfels, sie said:
> 
> Hello,
> 
> 
> On Sep 16, Marek Kubita wrote
> > Firewall-1 claims to use "virtual packet defragmentation":
> > 
> > - the firewall waits for all fragments to arrive
> > - the reassembled packet is inspected by the filtering rules
> > - if passed, the fragments are sent to their destination (not the
> >   reassembled packet).
> Is there a Reason for not sending the complete Packets? MTU Path Discovery?
> Hmm... shouldnt be a Problem.

If MTU path discovery isn't being used ?

The point is that the packets which get sent _out_ are the same as the
packets which are received.  The firewall should not be altering packets
unless it is doing something like NAT.

Darren
References:
Indexed By Date Previous: Webmasters Only!
From: ellenora @ hotmail . com
Next: Re: NEW Security-Related List Server
From: Darren Reed <avalon @ coombs . anu . edu . au>
Indexed By Thread Previous: Re: packet fragmentation attacks & ip-route caching
From: Bernd Eckenfels <lists @ lina . inka . de>
Next: Re: packet fragmentation attacks & ip-route caching
From: "Conrad Minor" <minorc @ reston . ans . net>
Google
 
Search Internet Search www.greatcircle.com