Firewall Wizards mailing list archives
Re: Proxy 2.0 secure? (AG vs. SPF)
From: "Paul D. Robertson" <proberts () clark net>
Date: Wed, 8 Jul 1998 10:46:16 -0400 (EDT)
On Tue, 7 Jul 1998, Ryan Russell wrote:
But if the AG already defragged the packets, then there aren't the weird fragments going inside, right? This assumes that your AG doesn't have to fragment on the way inside, or some intermediate device frags for you in such a way as to wipe out inside machines by chance.
This is a stretch, a long stretch. All of a sudden you've got the AG stack
innocently creating invalid fragments, or an internal router doing the same?
Even NT doesn't do this, let alone any current router product. The AG
shouldn't fragment if the internal media is the same, heck we've even done
TCP path MTU with the client, in the case of TCP based protocols,
which is the bulk of what's passed today. Since the AG lives on the network
tha the client connects to, its packets will be as big as the MTU for that
media.
Passing malicious fragements is a heck of a lot different than creating
malicious fragments. Creating them would mean a bug, and would happen
for every packet transiting the particular interface media, you'd spot
it pretty quickly in testing. Since we don't have variable MTU media,
it's not likely to be a transient problem.
I regularly run Ethernet homed gateways to Token Ring homed users and visa
versa and have over the last several years, and I've yet to see an
incorrectly generated fragment on behalf of a gateway, client station or
router. The problem with fragments isn't their existance, it's overlapping
offsets, which once again, isn't a problem when you're an endpoint in the
communication.
The argument against fragments with malicious data is totally within the
realm of packet filters and network IDS systems. Frag content simply isn't a
threat to an AG or clients protected by one. The only place you have a
window of vulnerability with frags on an AG is in how long you hold a frag
prior to dropping it, and it's the same issue as SYN flooding. Once
again, your SPF will have the same issue if it reassembles frags, and
the "protected" clients will if it doesn't.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts () clark net which may have no basis whatsoever in fact."
PSB#9280
Current thread:
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 01)
- <Possible follow-ups>
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 02)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 03)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Marc Heuse (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Bennett Todd (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 08)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Joseph S. D. Yao (Jul 08)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Bennett Todd (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) tqbf (Jul 12)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Bennett Todd (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 12)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 12)
(Thread continues...)