From owner-freebsd-hackers Tue May 6 16:17:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA12506 for hackers-outgoing; Tue, 6 May 1997 16:17:06 -0700 (PDT) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA12499 for ; Tue, 6 May 1997 16:17:01 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id QAA27363; Tue, 6 May 1997 16:16:29 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma027361; Tue May 6 16:16:27 1997 Received: (from archie@localhost) by bubba.whistle.com (8.7.5/8.6.12) id QAA20953; Tue, 6 May 1997 16:16:27 -0700 (PDT) From: Archie Cobbs Message-Id: <199705062316.QAA20953@bubba.whistle.com> Subject: Re: divert still broken? In-Reply-To: from Daniel O'Callaghan at "May 7, 97 09:08:15 am" To: danny@panda.hilink.com.au (Daniel O'Callaghan) Date: Tue, 6 May 1997 16:16:26 -0700 (PDT) Cc: zbs@softec.sk, freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > But it brings up another question.. how should we defend against > > UDP packets that are fragmented into a very small fragment (that > > doesn't contain the whole header) followed by the rest of the packet? > > > > Note this is not a problem for TCP, thanks to our implementing the > > recommendation of RFC 1858. > > > > Should ipfw be able enforce a "minimum" initial fragment length? > > What is the best strategy here? > > > > Or maybe I'm missing something obvious that makes this not a problem. > > You could apply the RFC 1858 pragma to UDP also, with no ill effects. > When Poul-Henning and I put the RFC1858 stuff into ipfw, I looked at UDP > and couldn't actually imagine a use for UDP frags with FO=1. I'm not > saying there isn't one, though. Probably best to just drop *all* ip > packets with FO=1, TCP, UDP or any other. Not many people know a great > deal about GRE, for example, but it might be possible to tap into a > tunnel using bad fragments. Paul Traina, can you comment? You > wrote the RFC :-) Ah, now I see.. remembering that FO is stored in bytes/8 (as you pointed out), it's not possible for a UDP header to be split across fragments in any way (since it's only 8 bytes long)... correct? -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com