Browse Prior Art Database

Security Considerations for IP Fragment Filtering (RFC1858)

IP.com Disclosure Number: IPCOM000004114D
Original Publication Date: 1995-Oct-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 8 page(s) / 19K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

G. Ziemba: AUTHOR [+3]

Abstract

IP fragmentation can be used to disguise TCP packets from IP filters used in routers and hosts. This document describes two methods of attack as well as remedies to prevent them.

This text was extracted from a ASCII document.
This is the abbreviated version, containing approximately 14% of the total text.

Network Working Group G. Ziemba

Request for Comments: 1858 Alantec

Category: Informational D. Reed

Cybersource

P. Traina

cisco Systems

October 1995

Security Considerations for IP Fragment Filtering

Status of This Memo

This memo provides information for the Internet community. This memo

does not specify an Internet standard of any kind. Distribution of

this memo is unlimited.

Abstract

IP fragmentation can be used to disguise TCP packets from IP filters

used in routers and hosts. This document describes two methods of

attack as well as remedies to prevent them.

1. Background

System administrators rely on manufacturers of networking equipment

to provide them with packet filters; these filters are used for

keeping attackers from accessing private systems and information,

while permitting friendly agents to transfer data between private

nets and the Internet. For this reason, it is important for network

equipment vendors to anticipate possible attacks against their

equipment and to implement robust mechanisms to deflect such attacks.

The growth of the global Internet has brought with it an increase in

"undesirable elements" manifested in antisocial behavior. Recent

months have seen the use of novel attacks on Internet hosts, which

have in some cases led to the compromise of sensitive data.

Increasingly sophisticated attackers have begun to exploit the more

subtle aspects of the Internet Protocol; fragmentation of IP packets,

an important feature in heterogeneous internetworks, poses several

potential problems which we explore here.

2. Filtering IP Fragments

IP packet filters on routers are designed with a user interface that

hides packet fragmentation from the administrator; conceptually, an

IP filter is applied to each IP packet as a complete entity.

One approach to fragment filtering, described by Mogul [1], involves

keeping track of the results of applying filter rules to the first

fragment (FO==0) and applying them to subsequent fragments of the

same packet. The filtering module would maintain a list of packets

indexed by the source address, destination address, protocol, and IP

ID. When the initial (FO==0) fragment is seen, if the MF bit is set,

a list item would be allocated to hold the result of filte...