RE: An ethernet frame with two IP packets inside?

[Marc Delince <marc.delince () computer org>]

How would routers/switches react to such a frame? Will they forward the whole frame or will they truncate after the 
first IP packet? I would expect switches (layer 2 switches) to forward the whole frame (2 ip packets). AFAIK routers 
will truncate like any host or at least they should.

If routers truncate, then creating a frame with 2 IP packets inside is probably useless: as soon as they hit the first 
router the frame is reconstructed with only 1 IP packet inside.

OTOH if they do not truncate this could be a nice way to evade a filtering router!!! Hmmm. Could anyone try it against 
a Cisco router? I would love to know the answer.

Marc Delince
marc.delince () computer org



-----Original Message-----
From:   Ryan Russell [SMTP:ryanr () sybase com]
Sent:   Thursday, October 29, 1998 1:30 AM
To:     Keller
Cc:     firewall-wizards () nfr net
Subject:        Re: An ethernet frame with two IP packets inside?


I can't actually think of any way to get two IP packets inside
a single Ethernet frame... custom crafted or not.

Certainly an Ethernet frame doesn't care what it's data
portion is...  It simply says here's my Ethertype, and I
have this many bytes.

This gets passed to an IP stack... IP stack wants to see an
IP header... IP header says how many bytes there are.
Even if there were a second IP header after the first
IP "packet" I don't think any IP stacks will get that far.
I'm pretty sure they will all either consider it a corrupt
single packet, or just dump the rest of the bytes.

I could be wrong.

Could such a beast be created, then two packets might make it through
some type of packet filter and into an behind the PF.

Sounds like it would fun to try, though.

                              Ryan





Keller <keller () wiesbaden netsurf de> on 10/23/98 04:51:39 PM

Please respond to Keller <keller () wiesbaden netsurf de>

To:   "firewall-wizards () nfr net" <firewall-wizards () nfr net>
cc:    (bcc: Ryan Russell/SYBASE)
Subject:  An ethernet frame with two IP packets inside?




Hi gurus and beardy wizards,

what happens if one ethernet frame contains two IP packets?

I know, it *shouldn't* happen, but I could construct one, right?
How will different tcpip stacks deal with the second IP packet?
Could it slip through the filtering rules on some routers?
Could it slip past static pattern matching firewalls (FW-1?) ?

Any ideas or pointers are greatly appreciated..

Cheers!

Stefan Keller

p.s.:
I'm aware that it would imply that the attacker sits directly
in front of the router/firewall server/whatever..
Then again, he could sit on a (compromised) Linux web server
with .. let's say SPAK.. downloaded to that machine.