Cisco problems

Mike Neuman (mcn@EnGarde.com)
Tue, 6 Jun 1995 11:08:16 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mike Neuman: "Re: Cisco problems"
Previous message: Paul Ferguson: "Re: Cisco problems"
Next in thread: Paul Ferguson: "Re: Cisco problems"

This post appeared on firewalls a couple days ago, and CIAC just issued
advisory F-25 for the same problem. The "discussion" Paul refers to didn't
happen on Firewalls. Does anyone have any more information on this?

-Mike
mcn@EnGarde.com

---- Begin included message ----

From: Paul Traina <pst@Shockwave.COM>
Date: Fri, 02 Jun 1995 15:21:49 -0700
Subject: IP packet filtering...the non-obvious fix

Since enough discussion has occured on this list to reproduce the design
flaw,  it shouldn't hurt for me to propose an alternate fix,  as the ones
I've seen proposed don't cover every possibility.

There is really only one way you can be sure of fixing this, since you can't
control what algorithm the remote host uses for fragmentation reassembly.

It *doesn't* involve checking the length of packets before examining the
flags,  hence the comment in the cisco advisory stating that we think
others have a problem too.

If  you are doing something that needs to examine tcp flag bits
and the packet is a tcp packet
and the fragment offset in the IP header is 1
then    consider the packet suspect (do whatever you do with evil stuff)

Obviously, you'd want to code this in the most efficient manner for
your particular implementation, but those are the checks that could be
performed to detect this problem (you could just consider suspect all packets
with FO=1 if you want to use a hammer on the problem).

RFC791 demands that an IP stack must be capable of passing an 8 byte IP data
payload without further fragmentation (fragments sit on 8 byte boundaries).
Since an IP header can be up to 60 bytes long (including options), this means
that the minimum MTU on a link should be 68 bytes.

A typical IP header is only 20 bytes long and can therefore carry 48 bytes of
data.  No one in the real world should EVER be generating a TCP packet with
FO=1, as it would require both that a previous system fragmenting IP data down
to the 8 byte minimum and a 60 byte IP header.

The only time you're ever likely to see a packet with FO=1 is if a bad guy is
knocking at your door.

Yours for a safer Internet,

Paul

p.s. I am not speaking in any capacity for a company whose name begins with 'c'.

--- End included message ---

Next message: Mike Neuman: "Re: Cisco problems"
Previous message: Paul Ferguson: "Re: Cisco problems"
Next in thread: Paul Ferguson: "Re: Cisco problems"