Antonios Atlasis wrote: ... > Again, generally speaking (and not just for SEAL) RFC 5722 "allows" > the abuse of its recommended policy for launching DoS attacks (a > single overlapping fragment will result in discarding a whole > datagram). On the contrary, if only the overlapping fragment is > discarded, at least DoS will be slightly more difficult. DoS is more difficult, but packet hijack is easier. All an attacker needs to do is inject a set of fragments before the next one from the source to cause it to appear to be an overlap and rejected. Once the attacker can get the real fragments rejected as overlaps, the rest of the packet is filled with bogus attack fragments. Wouldn't it have been better to drop the whole datagram? DoS is a problem, but undetected malicious data is worse.
Tony -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------