Sonicwall Firewalls are dropping fragmented SIP packets beginning with SonicOS 5.8 by default. This is justified by the following sentence:
> Fragmented UDP traffic, especially SIP traffic, is a clear violation of > RFC protocol, which SonicOS Enhanced firmware 5.8 and above very strictly > adhere to in these circumstances. RFC 3261 is the RFC standard for SIP > traffic, and states the following: 18.1.1 Sending Requests The client side of the transport layer is > responsible for sending the request and receiving responses. The user of > the transport layer passes the client transport the request, an IP address, > port, transport, and possibly TTL for multicast destinations. *If a > request is within 200 bytes of the path MTU, or if it is larger than 1300 > bytes and the path MTU is unknown, the request MUST be sent using an RFC > 2914 [43] congestion controlled transport protocol, such as TCP.* My question is now: Does this last sentence really mean, that UDP fragmentation is violating RFC3261? There is also an additional statement on their page: > SonicOS enhanced firmware 5.6, which is no longer supported, was less RFC > compliant on this, but 5.8 has enhanced security by becoming more strict. > RFC 4693 goes into additional detail regarding security concerns of > unnecessary packet fragmentation. Unfortunately RFC4693 covers a completely different topic. Is there any RFC which covers the topic of security concerns when using packet fragmentation? I only found this statement in an older posting: > SIP ALGs, STUN servers, etcetera, must allow UDP fragmentation unless they > are intentionally sacrificing interoperability for security reasons. https://lists.cs.columbia.edu/pipermail/sip-implementors/2005-May/009187.html BR Philipp _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
