From owner-freebsd-security  Sun Sep  3 21:39:20 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4D59F37B43C; Sun,  3 Sep 2000 21:39:18 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Sun, 3 Sep 2000 21:38:03 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id VAA63203;
	Sun, 3 Sep 2000 21:39:04 -0700 (PDT)
	(envelope-from cjc)
Date: Sun, 3 Sep 2000 21:39:03 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Dragos Ruiu <dr@kyx.net>
Cc: Bill Fumerola <billf@chimesnet.com>,
	Darren Reed <avalon@coombs.anu.edu.au>,
	Robert Watson <rwatson@FreeBSD.ORG>, Nicolas <list@rachinsky.de>,
	freebsd-security@FreeBSD.ORG
Subject: Re: ipfw and fragments
Message-ID: <20000903213903.Q62475@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <Pine.NEB.3.96L.1000903094614.69440A-100000@fledge.watson.org> <200009032010.HAA15013@cairo.anu.edu.au> <20000903173136.S33771@jade.chc-chimes.com> <0009031819571V.20066@smp.kyx.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <0009031819571V.20066@smp.kyx.net>; from dr@kyx.net on Sun, Sep 03, 2000 at 05:32:00PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, Sep 03, 2000 at 05:32:00PM -0700, Dragos Ruiu wrote:
> On Sun, 03 Sep 2000, Bill Fumerola wrote:
> > On Mon, Sep 04, 2000 at 07:10:46AM +1100, Darren Reed wrote:
> > 
> > > It never reassembles and doesn't hold them in a buffer until they're
> > > all received either.
> > 
> > Which I still think is the proper behavior for both ipfw and ipfilter.
> > 
> 
> You don't have to buffer until they're reassembled.

Hmmm... Wha'?

> If you want to be
> rigorous, you may have to buffer in the case when you don't receive 
> the first segment first (in which case you would have to buffer until you
> received the first fragment with the headers that will let the firewall 
> decide if it should let the fragments through or not) but in practice 
> this is an extreme corner case, so  imho, you can cheat a little 
> and use a heuristic and say you won't buffer and if you don't receive 
> the first frag first too bad (because in practice mis-sequencing
> almost never occurs in the wild) - I don't know if there are any 
> RFC rules regarding this anyway, so you may even be able to
> declare this correct behaviour.  :-)

See RFC791, sec 3.2 and RFC1122, sec 3.3.2, 3.3.3.

Oh, and a totally unrelated topic, whose MUA puts _both_ my From: and
Reply-To: addresses in the recipients ensuring that I have received
each message in this thread twice?
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message