dave, all,
i'm actually doing some graduate research around IP fragmentation. based
on some preliminary research the answer to 'how much ip fragmentation do
you normally see' the answer is 'almost none' where 'almost none' is
defined over < 5% of packets and usually less than that.
if you're interested in methodology mail me privately.
as other people have posted, most of the fragmentation is based on systems
that don't do pathMTU discovery (there are some interesting systems
including, apparently, AIX, that do pathMTU discovery *after* the
connection is set up. very odd and i've no idea how they do that since
normally the DF=1 bit during connection setup is how pathMTU is
discovered, according to the algorithm originally described by kent &
mogul in "fragmentation considered harmful").
reassembling fragments before packet analysis should absolutely always be
done, all of this not-withstanding.
todd underwood
[EMAIL PROTECTED]
On Sun, 23 Apr 2000, Dave Carmean wrote:
> Date: Sun, 23 Apr 2000 14:54:52 -0700
> From: Dave Carmean <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Fragmentation in normal traffic?
>
>
> How much packet fragmentation do folks see in "normal" Internet
> traffic? I.e. where path-MTU discovery hasn't been broken, etc.
> In other words: what should I expect if I were to simply disallow all
> inbound fragments?
>
> Also, at a BayLISA meeting last week, Brent mentioned something about
> fragmentation being used to bypass packet filtering by somehow re-writing
> part of the header during reassembly, and I think he mentioned this as
> being something that Mitnick did as part of attacking Shimomura's machine(s)?
> Was this just the result of a buggy IP stack somewhere interpreting the
> offset field as a signed integer or something equally stupid?
>
> Thanks...
>
> --
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
