Daren Reed writes:
> If I let fragments through, I could be letting through a TCP SYN.
> If I've set the MTU of my outgoing interface to 28 (a multiple of 8),
> it will put source/dest port in 1st packet and the TCP flags in the 3rd
> (seq/ack go in the 2nd). Obviously filtering based upon the TCP flags
> is not possible and doing any filtering on _anything_ in the TCP header
> is going to be incorrect at some point. I might add that an MTU of 28
> is the minimum size for meaningful fragmentation to occur of a TCP/UDP
> or even ICMP packet (with no IP options). Although the fragments will
> timeout upon passing through, what is the capacity here for a malicios
> attack to be formed by sending fragments which pass through the filter
> and form `different packets' on the other side ? (This is just some
> speculation on my part of what might be possible).
There are two issues with fragmented packets:
1. Since you can always filter the first one (which typically includes
the entire ULP header), do you allow out-of-order non-first fragments
through. Since you can always shoot down the first fragment it it
violates policy, the ULP PDU can never be reassembled.
People concerned with fragments getting through under these circumstances
are mainly military types worried about leakage of classified data between
classification levels. If you use RIPSO stamping (IP option 0x82), this
typically isn't a problem. Note, tho, that some CMW implementations
(TSIX/RE, in particular) likes to embed compartment info in the application
PDU, so the possibility of leakage exists if you don't use the Extended
Security Option (0x85, I think).
This is pretty esoteric for most of us.
2. What's your policy about MTU? In my book, anyone setting the MTU
smaller than the size of a TCP header is trying to hack my net, any my
filters kick him out. End of story. For the life of me, I can't think
of a good reason for a fragment with fragment offset = 0 to be smaller
than 576.
Just my $0.02.
- Ted
--------------------------------------------------------------------------
Ted Doty, Network Systems Corporation | phone: +1 301 596-2270
8965 Guilford Road, Suite 250 | fax: +1 410 381-3320
Columbia, MD, 21046 USA | voice mail: (800) 233-1485
--------------------------------------------------------------------------
The opinion expressed in this message is fictitious. Any resemblence to
real opinions, living or dead, is purely coincidental.
Follow-Ups:
References:
|
|
