Date: Wed, 7 May 1997 09:08:15 +1000 (EST) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: Archie Cobbs <archie@whistle.com> Cc: Basti Zoltan <zbs@softec.sk>, freebsd-hackers@FreeBSD.ORG Subject: Re: divert still broken? Message-ID: <Pine.BSF.3.91.970507085748.4479t-100000@panda.hilink.com.au> In-Reply-To: <199705061827.LAA16912@bubba.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 6 May 1997, Archie Cobbs wrote: > But it brings up another question.. how should we defend against > UDP packets that are fragmented into a very small fragment (that > doesn't contain the whole header) followed by the rest of the packet? > > Note this is not a problem for TCP, thanks to our implementing the > recommendation of RFC 1858. > > Should ipfw be able enforce a "minimum" initial fragment length? > What is the best strategy here? > > Or maybe I'm missing something obvious that makes this not a problem. You could apply the RFC 1858 pragma to UDP also, with no ill effects. When Poul-Henning and I put the RFC1858 stuff into ipfw, I looked at UDP and couldn't actually imagine a use for UDP frags with FO=1. I'm not saying there isn't one, though. Probably best to just drop *all* ip packets with FO=1, TCP, UDP or any other. Not many people know a great deal about GRE, for example, but it might be possible to tap into a tunnel using bad fragments. Paul Traina, can you comment? You wrote the RFC :-) Danny
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970507085748.4479t-100000>