On Sat, 24 Jul 2010, Warren Kumari wrote: > On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote: > > > > Why would any inspection policy not allow fragmented UDP packets? > > There's nothing wrong with that. > > Because it's "hard".... The issue is that then you need to buffer > fragments until you get a full packet -- which leaves you open to > attacks that send a bunch of fragments but leave one of them out. > > Vendors like to avoid reassembling fragments by default, because it > makes their performance numbers better....
The Cisco PIX/ASA has horrible bugs in its SMTP inspection code, some also related to packet boundaries. http://fanf.livejournal.com/102206.html Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ FORTIES CROMARTY FORTH TYNE DOGGER: MAINLY SOUTH OR SOUTHWEST 3 OR 4, OCCASIONALLY 5 LATER. SLIGHT OR MODERATE. RAIN OR SHOWERS. MODERATE OR GOOD. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
