Date: Sun, 3 Sep 2000 11:27:46 -0600 (MDT) From: Nate Williams <nate@yogotech.com> To: Robert Watson <rwatson@FreeBSD.ORG> Cc: Dragos Ruiu <dr@kyx.net>, cjclark@alum.mit.edu, "Crist J . Clark" <cjclark@reflexnet.net>, Bill Fumerola <billf@chimesnet.com>, Nicolas <list@rachinsky.de>, freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments Message-ID: <200009031727.LAA03881@nomad.yogotech.com> In-Reply-To: <Pine.NEB.3.96L.1000903094614.69440A-100000@fledge.watson.org> References: <0009030256211M.20066@smp.kyx.net> <Pine.NEB.3.96L.1000903094614.69440A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> My recollection was that fragments can be created that do not contain all > of the transport-layer headers. For example, although it should not > occur, ``naturally,'' it is possible to fragment a packet immediately > after the IP header but before the TCP-level port information is include. > Similarly, later fragments may begin at arbitrary points in the datagram, > based on how the PMTU caused the fragmentation at various points on the > path. Actually, isn't the purpose of PMTU to avoid the need to fragment the packet at intermediate routers? Since PMTU involves both endpoints of the link, thus allowing the originator to determine *if* a packet of a particular size can make it all the way from one end to the other w/out fragmentation. It seems that fragmentation is a real problem for stateless firewalls, but is a real problem that should be considered, especially since our existing IPFW is semi-stateful now. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009031727.LAA03881>