Hello everybody,
I recently faced one strange problem with Ciscos.
If we have extended access-list:
access-list 101 permit tcp from any to any eq 80
access-list 101 deny ip from any to any
how does Cisco router processes fragmented packets ?
The problem is, only the first fragment with offset==0 contains required
layer 4 information (like TCP port number), and all subsequent fragments do
not contain required information for access-list to make a decision.
In theory the only "honest" approach is to associate subsequent
non-informative fragments with a first one.
But it looks like normal Cisco IOS DOES NOT keep fragments information, and
fragments other than first one are ALWAYS passed!
I suspect this because:
1) I experienced a situation when all fragments with offset!=0 were always
passed by access-list 101 (even if these fragments DID NOT match entered
access-list rules).
2) fragments filtering is mentioned as unique feature in IOS firewall
feature set;
3) probably keeping fragment information can be very expensive in terms of
CPU and memory.
So IMHO in Cisco IOS ACLs there is an implicit rule like this:
access-list 101 permit ip from any to any fragments
! "fragments" is an imaginary option, Cisco doesn't understand it in fact
Is it true ?
Now the actual problem description (why do I have this suspiction and why it
makes a problem for me!). We use policy-routing for transparent cache setup;
there is an extended access-list 101 that filters HTTP traffic only, and
packets that match access-list are redirected to cache server. Everything
works just fine, but router redirects any fragment to the cache, not only
http packets fragments - as if any fragment matches access-list 101 !
For example, fragmented ping packets (ICMP) going through the router are
also redirected to cache:
- Ping with packet size 500 (non-fragmented) - succeeds and goes normal way
(doesn't match access-list)
- Ping with packet size 2000 (fragmented) fails, because the second fragment
is redirected to cache (matches access-list 101, but should NOT).
- Ping with packet size 2000 (fragmented) succeeds, when policy-routing is
disabled.
Is there any workaround for this problem and is my explanation true?
Alex
PS. Additional information:
IOS 12.0(7)T
Cisco 3640
I can send real config and sniffer capture logs if somebody needs it.
PPS. I guess now we should really care about fragmented packets. Several
years ago fragments were (probably) mostly an indication of poor network
design.
Now with widespread use of VPN/IPsec tunnels fragmentation is unavoidable.
In fact, the problem above was noticed by our customers, because their VPN
tunnels stopped working ;)
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
