RFC 1858 (rfc1858) - Page 2 of 10
Security Considerations for IP Fragment Filtering
Alternative Format: Original Text Document
RFC 1858 Security Considerations - IP Fragment Filtering October 1995
2. Filtering IP Fragments
IP packet filters on routers are designed with a user interface that
hides packet fragmentation from the administrator; conceptually, an
IP filter is applied to each IP packet as a complete entity.
One approach to fragment filtering, described by Mogul [1], involves
keeping track of the results of applying filter rules to the first
fragment (FO==0) and applying them to subsequent fragments of the
same packet. The filtering module would maintain a list of packets
indexed by the source address, destination address, protocol, and IP
ID. When the initial (FO==0) fragment is seen, if the MF bit is set,
a list item would be allocated to hold the result of filter access
checks. When packets with a non-zero FO come in, look up the list
element with a matching SA/DA/PROT/ID and apply the stored result
(pass or block). When a fragment with a zero MF bit is seen, free
the list element.
Although this method (or some refinement of it) might successfully
remove any trace of the offending whole packet, it has some
difficulties. Fragments that arrive out of order, possibly because
they traveled over different paths, violate one of the design
assumptions, and undesired fragments can leak through as a result.
Furthermore, if the filtering router lies on one of several parallel
paths, the filtering module will not see every fragment and cannot
guarantee complete fragment filtering in the case of packets that
should be dropped.
Fortunately, we do not need to remove all fragments of an offending
packet. Since "interesting" packet information is contained in the
headers at the beginning, filters are generally applied only to the
first fragment. Non-first fragments are passed without filtering,
because it will be impossible for the destination host to complete
reassembly of the packet if the first fragment is missing, and
therefore the entire packet will be discarded.
The Internet Protocol allows fragmentation of packets into pieces so
small as to be impractical because of data and computational
overhead. Attackers can sometimes exploit typical filter behavior
and the ability to create peculiar fragment sequences in order to
sneak otherwise disallowed packets past the filter. In normal
practice, such pathalogical fragmentation is never used, so it is
safe to drop these fragments without danger of preventing normal
operation.
Ziemba, Reed & Traina Informational