[57252] in North American Network Operators' Group
Re: RFC3514
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Apr 1 12:25:41 2003
Date: Tue, 01 Apr 2003 09:22:22 -0800
From: Owen DeLong <owen@delong.com>
To: Jack Bates <jbates@brightok.net>,
Scott Francis <darkuncle@darkuncle.net>
Cc: nanog@merit.edu
In-Reply-To: <3E89B142.5030703@brightok.net>
Errors-To: owner-nanog-outgoing@merit.edu
Hmmm.... Must be 4/1 again.
Owen
--On Tuesday, April 1, 2003 9:33 AM -0600 Jack Bates <jbates@brightok.net>
wrote:
>
> Scott Francis wrote:
>> Comments?
>>
>> (Nice to see Mr. Bellovin keeping up the holiday tradition ... :))
> Yep.
>
> " Fragments that by themselves are dangerous MUST have the evil bit
> set. If a packet with the evil bit set is fragmented by an
> intermediate router and the fragments themselves are not dangerous,
> the evil bit MUST be cleared in the fragments, and MUST be turned
> back on in the reassembled packet."
>
> There is no guidelines for specifying how the router will determine if
> the fragments themselves are dangerous. An attacker may carefully design
> the evil packet with the expectation of fragmentation, allowing the
> fragments themselves to be the tool of the attack. It is therefore
> recommended that all fragment of a packet with the evil bit set should
> also have the evil bit set when fragmentation is performed by an
> intermediate router incapable of determining the dangerous nature of the
> packets.
>
>
> :)
>
> -Jack
>
