> -----Original Message-----
> From: Michal Zalewski [mailto:lcamtuf_at_ghettot.org]
>
<snip>
> 1. Path MTU discovery (DF set) prevents fragmentation [*]; some modern
> systems (Linux) default to this mode - although PMTU discovery is
> also known to cause problems in certain setups, so it is not always
> the best way to stop the attack.
>
> [*] Also note that certain types of routers or tunnels tend to
> ignore DF flag, possibly opening this vector again.
<snip>
> Note that this has nothing to do with old firewall bypassing techniques
> and other tricks that used fragmentation to fool IDSes and so on -
> mandatory defragmentation of incoming traffic on perimeter devices will
> not solve the problem.
I concluded some time back -- coming at it from an entirely different
angle from either of these -- that IP-layer fragmentation and reassembly
was fatally flawed. All sane implementations should set DF, and all but
the most secure of tunnels should honour it.
David Gillett
Received on Dec 11 2003
Intro
