On Wed, Jun 22, 2005 at 02:35:37PM -0400, John A. Sullivan III wrote: > We are working to use an iptables based VPN for a client where teh > certificates do not fit into a single packet. Thus we have a > fragmentation problem. We normally drop all fragments on the Internet > interfaces in our rule sets. We are a little hesitant to stop doing so. > > Does connection tracking make it safe to do so or does it make it more > dangerous? I understand that connection tracking will reassemble the > fragments. If someone is trying to attack by sending lots of non-head > fragments, will connection tracking drop those as invalid or will this > produce a denial of service attack as connection tracking tries to match > a flood of fragments without first fragments? Thanks - John Connection tracking just uses the normal ip_defrag() code, so it would behave exactly like the fragment cache of a linux end host. And no, conntrack cannot make fragment-based attacks safe. IP fragmentation on the open internet is a serious flaw and introduces many security risks. Please see my signature ;) -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
pgpXQxomuvbBK.pgp
Description: PGP signature
