Paul Cardon wrote:
> Well, that's one more than I knew about. Sounds like I at least need to
> do some reading on Enternet if not play with it at some point.
> Question. Do you then pass the original fragments or the result of the
> reassembly?
Currently, we pass the original fragments (in sequential order)
after having verified that they do not overlap, have legal
lengths, etc...
We have some plans on implementing (optional) complete reassembly
in the future, maybe on a per-interface or per-host-group basis.
The reason to have it be optional is simply that
one may run out of RAM if reassembling packets for several
thousand hosts in high speed (and it does have a throughput
of well over 200 Mbps). This would result in a "high security
mode" that "fails closed" if resources are exhausted.
Of course it could mean a very effective DoS for all fragmented
traffic - which of course is why it'd be optional.
Regards,
Mikael
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
