From owner-freebsd-hackers Tue May 6 16:04:55 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA11744 for hackers-outgoing; Tue, 6 May 1997 16:04:55 -0700 (PDT) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA11736 for ; Tue, 6 May 1997 16:04:49 -0700 (PDT) Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.7.3) id JAA27044; Wed, 7 May 1997 09:08:16 +1000 (EST) Date: Wed, 7 May 1997 09:08:15 +1000 (EST) From: "Daniel O'Callaghan" To: Archie Cobbs cc: Basti Zoltan , freebsd-hackers@FreeBSD.ORG Subject: Re: divert still broken? In-Reply-To: <199705061827.LAA16912@bubba.whistle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 6 May 1997, Archie Cobbs wrote: > But it brings up another question.. how should we defend against > UDP packets that are fragmented into a very small fragment (that > doesn't contain the whole header) followed by the rest of the packet? > > Note this is not a problem for TCP, thanks to our implementing the > recommendation of RFC 1858. > > Should ipfw be able enforce a "minimum" initial fragment length? > What is the best strategy here? > > Or maybe I'm missing something obvious that makes this not a problem. You could apply the RFC 1858 pragma to UDP also, with no ill effects. When Poul-Henning and I put the RFC1858 stuff into ipfw, I looked at UDP and couldn't actually imagine a use for UDP frags with FO=1. I'm not saying there isn't one, though. Probably best to just drop *all* ip packets with FO=1, TCP, UDP or any other. Not many people know a great deal about GRE, for example, but it might be possible to tap into a tunnel using bad fragments. Paul Traina, can you comment? You wrote the RFC :-) Danny