From: ElephantChild [mailto:[EMAIL PROTECTED]]
>> So IMHO in Cisco IOS ACLs there is an implicit rule like this:
>>
>> access-list 101 permit ip from any to any fragments
>> ! "fragments" is an imaginary option, Cisco doesn't understand it in fact
>>
>> Is it true ?
>It used to be. In late 1995, it was used in an attack by sending
>overlapping fragments with different values in the TCP header. The first
>fragment (offset 0) would pass through because it had harmless source
>and destination ports, and the other fragment would pass because its
>offset was != 0, and could overwrite (depending on how reassembly was
>implemented in the receiving host) the TCP port values in the first
>fragment.
>
>Following that, the rule was changed to always reject fragments with an
>offset != 0, if they overlap the TCP header. RFC1858 discusses that in
>some depth, and ISTR that there's a security advisory somewhere on
>http://www.cisco.com/.
Ok, but this means that normal ("non-suspicious") fragments with offset!=0
are still passed by extended access-lists, whatever you write in
access-list.
Very strange, why doesn't Cisco mention this behaviour on their web-site ?
If it is a feature, not a bug, they still have to describe it. Just because
this may have a HUGE impact on network operation, especially in case of
policy-routing (like it happened with me).
I even passed CCNP without knowing this ;) (at that time I used to think
that Cisco has fragment cache for transit traffic and makes intelligent
decisions about each and every fragment).
By the way, the best workaround in my case (to setup a transparent http
cache) was to use WCCP instead of policy routing. In fact, WCCP does exactly
the same thing - reroutes all TCP packets with dst_port==80 to a cache
server. But WCCP does not have this bug - it does not reroute non-HTTP
fragments to a cache.
AAAARGH. A terrible thought: but what WCCP does with fragmented HTTP
requests ? Will these fragmented requests reach cache server ? Didn't they
change "permit all non-suspicious fragments" to "deny all fragments" ????
Should verify it....
Alex,
CCNP
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
