[57247] in North American Network Operators' Group
Re: RFC3514
daemon@ATHENA.MIT.EDU (Jack Bates)
Tue Apr 1 10:30:04 2003
Date: Tue, 01 Apr 2003 09:33:22 -0600
From: Jack Bates <jbates@brightok.net>
To: Scott Francis <darkuncle@darkuncle.net>
Cc: nanog@merit.edu
In-Reply-To: <20030401065647.GA5751@darkuncle.net>
Errors-To: owner-nanog-outgoing@merit.edu
Scott Francis wrote:
> Comments?
>
> (Nice to see Mr. Bellovin keeping up the holiday tradition ... :))
Yep.
" Fragments that by themselves are dangerous MUST have the evil bit
set. If a packet with the evil bit set is fragmented by an
intermediate router and the fragments themselves are not dangerous,
the evil bit MUST be cleared in the fragments, and MUST be turned
back on in the reassembled packet."
There is no guidelines for specifying how the router will determine if
the fragments themselves are dangerous. An attacker may carefully design
the evil packet with the expectation of fragmentation, allowing the
fragments themselves to be the tool of the attack. It is therefore
recommended that all fragment of a packet with the evil bit set should
also have the evil bit set when fragmentation is performed by an
intermediate router incapable of determining the dangerous nature of the
packets.
:)
-Jack
