Hi Remi,
Rémi Denis-Courmont wrote:
On Wed, 24 Sep 2008 07:30:01 -0700 (PDT), [EMAIL PROTECTED] wrote:
The fragmentation and reassembly algorithm specified in the base IPv6
specification allows fragments to overlap. This document
demonstrates the security issues with allowing overlapping fragments
and updates the IPv6 specification to explicitly forbid overlapping
fragments.
| The TCP header has the following values of the flags S(YN)=0 and
| A(CK)=1. This makes an inspecting stateful firewall think that it is
| a response packet for a connection request initiated from the trusted
| side of the firewall. Hence it will allow the fragment to pass. It
| will also let the following fragments with the same Fragment
| Identification value in the fragment header to pass through.
I could see this happen for a stateLESS firewall. But won't a stateFUL
firewall drop the packet as not being part of any existing flow? AFAIK,
Linux Netfilter would class the packet as INVALID in this case.
I don't suppose this nullifies the attack, but the example looks rather
like a bad one.
The idea was that we could use the state created for a different flow to
initiate an incoming flow. Maybe the text can be reworded a bit to make
it clearer.
e.g. Look at the following example message flow
1) Inside_Host(Port X)->Outside_Host(Port Y) SYN=1,ACK=0
2) Outside_Host(Port Y)->Inside Host(Port X) SYN=1,ACK=1
3) Inside_Host(Port X)->Outside_Host(Port Y) SYN=0,ACK=1
...
99) Outside_Host(Port Y)->Inside Host(Port X) SYN=0,ACK=1
(Fragment: OH(Port Z)->IH(Port 80) SYN=1,ACK=0)
The packet numbered 99) will not be filtered even by a stateful firewall.
Thanks
Suresh
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
