RFC 1858 (rfc1858) - Page 1 of 10


Security Considerations for IP Fragment Filtering



Alternative Format: Original Text Document

Next >


Network Working Group                                         G. Ziemba
Request for Comments: 1858                                      Alantec
Category: Informational                                         D. Reed
                                                            Cybersource
                                                              P. Traina
                                                          cisco Systems
                                                           October 1995


           Security Considerations for IP Fragment Filtering

Status of This Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.

Abstract

   IP fragmentation can be used to disguise TCP packets from IP filters
   used in routers and hosts. This document describes two methods of
   attack as well as remedies to prevent them.

1. Background

   System administrators rely on manufacturers of networking equipment
   to provide them with packet filters; these filters are used for
   keeping attackers from accessing private systems and information,
   while permitting friendly agents to transfer data between private
   nets and the Internet.  For this reason, it is important for network
   equipment vendors to anticipate possible attacks against their
   equipment and to implement robust mechanisms to deflect such attacks.

   The growth of the global Internet has brought with it an increase in
   "undesirable elements" manifested in antisocial behavior.  Recent
   months have seen the use of novel attacks on Internet hosts, which
   have in some cases led to the compromise of sensitive data.

   Increasingly sophisticated attackers have begun to exploit the more
   subtle aspects of the Internet Protocol; fragmentation of IP packets,
   an important feature in heterogeneous internetworks, poses several
   potential problems which we explore here.









Ziemba, Reed & Traina        Informational


Next >


Web Standards & Support:

Link to and support eLook.org Powered by LoadedWeb Web Hosting
Valid XHTML 1.0! Valid CSS! eLook.org FireFox Extensions