[unisog] Practical, Legitimate IP Fragmentation?

John Kristoff jtk at depaul.edu
Thu Mar 13 15:25:52 GMT 2003

On Wed, 12 Mar 2003 13:56:55 -0800
Peter Van Epp <vanepp at sfu.ca> wrote:

> wrong answer. The righter answer is have your firewall (or an OpenBSD
> box if your traffic is small enough to do it) defragement the IP
> stream at your border, allowing legit fragmentation to pass and

It may still range between extremely difficult and impossible to do this
depending on your environment.  Since fragments can arrive out of order
and take different paths, a network-based box (middlebox) may have
trouble getting all the fragments with which to examine the original
packet from.  There may also be a timing problem that makes it dangerous
to the middle box having to keep state looking for all pieces of the
fragments (which may never come).

If there is enough data in the initial fragment, you may be able to
apply a policy based on it, drop it and effectively prevent the other
fragments from doing nothing worse than taking up capacity (since hosts
will not receive all fragments, they should silently discard remaining
fragments from an incomplete datagram).  Of course, there are still
risks, see the following:



More information about the unisog mailing list