[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: TCP small fragments

To: "pmrn" <pmrn@mac.com>
Subject: RE: TCP small fragments
From: "Vishwas Manral" <Vishwas@sinett.com>
Date: Wed, 16 Feb 2005 06:21:20 -0800
Cc: <opsec@ops.ietf.org>

Hi Pall,

We are not talking about right implementations of IP fragmentation. We are talking about what firewalls do in case of small fragments hwhich can be caused by an attack. 

Are such fragments discarded by the firewall in ISP(is it an option to discard it)?

Thanks,
Vishwas
________________________________________
From: pmrn [mailto:pmrn@mac.com] 
Sent: Wednesday, February 16, 2005 6:26 PM
To: Vishwas Manral
Cc: opsec@ops.ietf.org
Subject: Re: TCP small fragments

Only payload van be fragmented. Not header. Unless someone messed with TCP/IP stack, I do not know of single stack in commercial product, that fragments header. 

Reasons are many, least being the ability to reassemble fragments accurately. You want check RFC (exact # escapes me at the moment). 

Pall 
On Feb 16, 2005, at 6:27 AM, Vishwas Manral wrote: 

Hi Pall, 

  

I think this rule probably can apply to only the first fragment, I think we certainly can have fragments of a smaller size smaller then 40 bytes of data (especially the last fragment). 

  

Is this done by all deployed routers? 

  

Thanks, 

Vishwas 

From: pmrn [mailto:pmrn@mac.com] 
Sent: Wednesday, February 16, 2005 4:44 PM 
To: Vishwas Manral 
Cc: opsec@ops.ietf.org 
Subject: Re: TCP small fragments 

  

Vishwas, 

  

The minimum packet length TCP/IP packet must carry the entire packet information, i.e transport and network header plus 1 byte (41 bytes for TCP/IP). This means that the header portion is not to be fragmented. 

  

Pall Ramanathan 

On Feb 16, 2005, at 5:51 AM, Vishwas Manral wrote: 

  

Hi folks, 

  

  

  

IP packets containing TCP payload can be fragmented. Firewalls have checks on TCP flags to check if there are illegal combinations of TCP flags. However if the TCP header in the IP packet itself is fragmented, it may not be easy to track such a packet. 

  

  

  

What is the default behavior for such packets in which the TCP header itself is not completely there (I know a lot of hosts crash on getting such packets)? How do ISP deal with such scenarios? 

  

  

  

Thanks, 

  

Vishwas 

  

  
  

Pall Ramanathan 

Work: 678-9359670 

Mobile: 678-576-7105 

  

www.amalannetworks.com 

  

Learn like you will live for ever and Live like you will die tomorrow-Gandhi 

Pall Ramanathan 
Work: 678-9359670 
Mobile: 678-576-7105 

www.amalannetworks.com 

Learn like you will live for ever and Live like you will die tomorrow-Gandhi

Follow-Ups:
- Re: TCP small fragments
  - From: "Steven M. Bellovin" <smb@cs.columbia.edu>

Prev by Date: Re: TCP small fragments
Next by Date: Re: TCP small fragments
Previous by thread: Re: TCP small fragments
Next by thread: Re: TCP small fragments
Index(es):
- Date
- Thread