Thanks for the responses so far. One more variation to this question. What if there was an application on my network that instead of blocking, I wanted to control the amount of bandwidth it consumed. One might define an ACL to identify the traffic by L4 port and map this traffic to a rate-limiting mechanism.
Now, if the application generates data in such a way that it causes the data to be mostly carried in IP fragements, this ACL will not identify all packets associated with the application. Rate-limiting will only manage the bandwidth of the first IP packet in each segement. This may or may not work in throttling the traffic. Does using the ACL "fragement" option help here or would this require moving to some other session identification mechanism? (I've got no idea how likely standard applications are to send segements sufficiently large so that IP fragementation occurs...) Thanks Sean Knox wrote: > > In addition to Priscilla's comments, sending IP/TCP/UDP fragments is a > useful way to fingerprint a host's OS. The response from the fragmented > packet(s) can be used as a clue to determine what OS/platform is running on > the other end. Nmap, among many other tools, has options to send fragmented > packets in a variety of ways. Check out http://www.insecure.org for some > informative white papers on OS fingerprinting. > > - Sean > > -----Original Message----- > From: bergenpeak [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 23, 2002 4:18 AM > To: [EMAIL PROTECTED] > Subject: ACLs, TCP segements, and the "fragments" keyword [7:32922] > > Looking at extended ACLs I see there's an option to define ACL > statements which can key on whether the IP packet contains a > fragment. > > Besides for NAT purposes, could someone provide me with a scenario > where one would need develop an ACL to key on IP packets carrying > fragements? I'd be particularly interested in situations where one > might want to block a TCP application and decided that one had to > block traffic to the TCP port as well as fragments going to the server. > > Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33286&t=32922 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
