Date: Tue, 6 May 1997 16:16:26 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: danny@panda.hilink.com.au (Daniel O'Callaghan) Cc: zbs@softec.sk, freebsd-hackers@FreeBSD.ORG Subject: Re: divert still broken? Message-ID: <199705062316.QAA20953@bubba.whistle.com> In-Reply-To: <Pine.BSF.3.91.970507085748.4479t-100000@panda.hilink.com.au> from Daniel O'Callaghan at "May 7, 97 09:08:15 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> > But it brings up another question.. how should we defend against > > UDP packets that are fragmented into a very small fragment (that > > doesn't contain the whole header) followed by the rest of the packet? > > > > Note this is not a problem for TCP, thanks to our implementing the > > recommendation of RFC 1858. > > > > Should ipfw be able enforce a "minimum" initial fragment length? > > What is the best strategy here? > > > > Or maybe I'm missing something obvious that makes this not a problem. > > You could apply the RFC 1858 pragma to UDP also, with no ill effects. > When Poul-Henning and I put the RFC1858 stuff into ipfw, I looked at UDP > and couldn't actually imagine a use for UDP frags with FO=1. I'm not > saying there isn't one, though. Probably best to just drop *all* ip > packets with FO=1, TCP, UDP or any other. Not many people know a great > deal about GRE, for example, but it might be possible to tap into a > tunnel using bad fragments. Paul Traina, can you comment? You > wrote the RFC :-) Ah, now I see.. remembering that FO is stored in bytes/8 (as you pointed out), it's not possible for a UDP header to be split across fragments in any way (since it's only 8 bytes long)... correct? -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705062316.QAA20953>