The real issue with fragmentation is that firewalls don't add appropriate slit rules to let through the response fragments when they open the pinhole for the reply packet.
It isn't that hard to add "permit from dest, to src, type udp, frag offset != 0" when you add "permit from dest port 53, to src port xxx, type udp" except the firewall vendors haven't written code to do it. You don't have to let through all fragments. You can filter to potentially matching fragment. The effort to be a perfect filter breaks legitimate traffic. NATs need to reassemble packets / hold fragments until the initial fragment arrives but even they can use slit rules to reduce the attack surface. You don't have to drop fragments that you haven't seen the initial fragment of the packet yet (ipfw does/did this). The fragment with offset 0 also needs to be sent first. This greatly improves to possibility of fragments getting through. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
