Firewall Wizards mailing list archives
RE: An ethernet frame with two IP packets inside?
From: Marc Delince <marc.delince () computer org>
Date: Thu, 29 Oct 1998 23:44:04 -0500
How would routers/switches react to such a frame? Will they forward the whole frame or will they truncate after the first IP packet? I would expect switches (layer 2 switches) to forward the whole frame (2 ip packets). AFAIK routers will truncate like any host or at least they should. If routers truncate, then creating a frame with 2 IP packets inside is probably useless: as soon as they hit the first router the frame is reconstructed with only 1 IP packet inside. OTOH if they do not truncate this could be a nice way to evade a filtering router!!! Hmmm. Could anyone try it against a Cisco router? I would love to know the answer. Marc Delince marc.delince () computer org -----Original Message----- From: Ryan Russell [SMTP:ryanr () sybase com] Sent: Thursday, October 29, 1998 1:30 AM To: Keller Cc: firewall-wizards () nfr net Subject: Re: An ethernet frame with two IP packets inside? I can't actually think of any way to get two IP packets inside a single Ethernet frame... custom crafted or not. Certainly an Ethernet frame doesn't care what it's data portion is... It simply says here's my Ethertype, and I have this many bytes. This gets passed to an IP stack... IP stack wants to see an IP header... IP header says how many bytes there are. Even if there were a second IP header after the first IP "packet" I don't think any IP stacks will get that far. I'm pretty sure they will all either consider it a corrupt single packet, or just dump the rest of the bytes. I could be wrong. Could such a beast be created, then two packets might make it through some type of packet filter and into an behind the PF. Sounds like it would fun to try, though. Ryan Keller <keller () wiesbaden netsurf de> on 10/23/98 04:51:39 PM Please respond to Keller <keller () wiesbaden netsurf de> To: "firewall-wizards () nfr net" <firewall-wizards () nfr net> cc: (bcc: Ryan Russell/SYBASE) Subject: An ethernet frame with two IP packets inside? Hi gurus and beardy wizards, what happens if one ethernet frame contains two IP packets? I know, it *shouldn't* happen, but I could construct one, right? How will different tcpip stacks deal with the second IP packet? Could it slip through the filtering rules on some routers? Could it slip past static pattern matching firewalls (FW-1?) ? Any ideas or pointers are greatly appreciated.. Cheers! Stefan Keller p.s.: I'm aware that it would imply that the attacker sits directly in front of the router/firewall server/whatever.. Then again, he could sit on a (compromised) Linux web server with .. let's say SPAK.. downloaded to that machine.
Current thread:
- RE: An ethernet frame with two IP packets inside? Marc Delince (Nov 02)
- <Possible follow-ups>
- Re: An ethernet frame with two IP packets inside? Darren Reed (Nov 02)
- Re: An ethernet frame with two IP packets inside? llevier (Nov 02)