[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: TCP small fragments



First ANY ip protocol can have fragments. Not just tcp/udp...
Fragments are handled at the ip layer.

2nd It varies.

Some systems collect the fragments they have all the fragments then
reassemble them and make decisions on the full packet.

If the frag reassembly time out occurs and the first frag was received
the system is supposed to send back a icmp error message.

As far as I know no large ISP's is blocking fragments through their
network.

It is a common best practice to ratelimit or drop fragments TOWARDS
network elements within an ISP.
 
-----Original Message-----
From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On Behalf Of
Vishwas Manral
Sent: Wednesday, February 16, 2005 3:51 AM
To: opsec@ops.ietf.org
Subject: TCP small fragments


Hi folks,
 
IP packets containing TCP payload can be fragmented. Firewalls have
checks on TCP flags to check if there are illegal combinations of TCP
flags. However if the TCP header in the IP packet itself is fragmented,
it may not be easy to track such a packet.
 
What is the default behavior for such packets in which the TCP header
itself is not completely there (I know a lot of hosts crash on getting
such packets)? How do ISP deal with such scenarios?
 
Thanks,
Vishwas