On Wed, 24 Sep 2008 07:30:01 -0700 (PDT), [EMAIL PROTECTED] wrote: > The fragmentation and reassembly algorithm specified in the base IPv6 > specification allows fragments to overlap. This document > demonstrates the security issues with allowing overlapping fragments > and updates the IPv6 specification to explicitly forbid overlapping > fragments.
| The TCP header has the following values of the flags S(YN)=0 and | A(CK)=1. This makes an inspecting stateful firewall think that it is | a response packet for a connection request initiated from the trusted | side of the firewall. Hence it will allow the fragment to pass. It | will also let the following fragments with the same Fragment | Identification value in the fragment header to pass through. I could see this happen for a stateLESS firewall. But won't a stateFUL firewall drop the packet as not being part of any existing flow? AFAIK, Linux Netfilter would class the packet as INVALID in this case. I don't suppose this nullifies the attack, but the example looks rather like a bad one. -- Rémi Denis-Courmont -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------