From: Jack Yu (cciecn@xxxxxxxxx)
Date: Thu Feb 15 2001 - 18:47:10 GMT-3
Drew,
I did not follow the thread frmo the beginning, are we
talking about CBAC or just normal access-list?
CBAC, like PIX, can do statefull filtering, in that
casee it keeps all fragments, so if you have CBAC
configured on R3 and R2, you are right, there is no
way this will work.
But if you only have normal access-list which is
stateless, this should work, R3 will not drop any
fragments. Because the will pass all fragments. The
reason is obvisious, if you do not keep the state of
the packets, you are not able to decide the ocntents,
then you have to forward.
HTH
Jack
--- "Maness, Drew" <drew.maness@veritect.com> wrote:
> I humbly stand corrected. I thought that IP
> fragmentation was only of local
> significance between two routers. But your question
> of multiple routes made
> since. According to Stevens, " When an IP datagram
> is fragmented, it is not
> reassembled until it reaches its final
> destination..." He also went on to
> say "When an Ip datagram is framented, each fragment
> becomes its own packet,
> with its own ip header"
>
> I also read Phillip's post about the offset bit and
> that makes since but
> only if the fragmented packets are guaranteed to
> reach the router that the
> first packet went through.
>
> Here is my dilemma: If a ip datagaram gets
> fragmented at R1 and it needs to
> get to R4. R2 and R3 both have a ACL on them.
> Let's use Phillips example:
>
> permit tcp host 1.1.1.1 eq 68 host 2.2.2.2 eq 34
>
> Now using this diagram.
> ___R2___
> R1| |R4
> ----R3---
>
> R1 fragments the datagram and sends the first packet
> to R2. Let's say for
> this example that R1 sends all odd packets to R2 and
> all even packets to R3.
> (Just a theoretical example) The first packet hits
> R2 and matches the acl.
> All the other fragmented packets that hit R2 will be
> passed because of the
> offset bit but the packets that go through R3 will
> be dropped? Therefore
> the entire datagram will be dropped because not all
> the packets will reach
> R4?
>
> I still think I'm missing something.
>
> Sorry for sending out wrong information but I did
> truly believe I was
> correct.
>
> Regards
>
> Drew
>
> -----Original Message-----
> From: David Ankers [mailto:d.ankers@chello.nl]
> Sent: Tuesday, February 13, 2001 3:17 PM
> To: Chuck Church
> Cc: ccielab@groupstudy.com
> Subject: Re: Fragmentation Concepts
>
>
> The quote below from Drew is completely false, I
> have no idea why he posted
> it as it misleads people although I'm sure it was
> done in good faith.
>
> I'll answer why it's wrong with a question:
>
> What happens if a packet gets fragmented and the
> fragments take different
> paths? If the router with the access list is in the
> middle of the path there
>
> is a possiblility that it won't get all the packets,
> so how does can it
> specifically it re-assemble them? TCP/IP doesn't
> have such a design flaw.
> Which system is the only system that we can be sure
> will get all the packets
>
> given that no loss occurs? The system with the
> destination address.
>
> From a programmers point of view having intermediate
> systems perform
> re-assembly would be a nightmare for two reasons, 1,
> buffer alocation and 2,
>
> it would cause deadlocks.
>
> I don't like seding "you are wrong mails" but I know
> a couple of the guys
> here are trying to get an understanding of this
> topic, sorry Drew.
>
> D.
>
>
>
> On Tuesday 13 February 2001 19:47, you wrote:
> > Maybe this means that an interface with an access
> list must re-assemble
> the
> > fragmented packet before it can run it through the
> access-list? If I get
> a
> > chance I'll try it in the lab.
> >
> > Chuck Church
> > CCNP, CCDP, MCNE, MCSE
> > Sr. Network Engineer
> > Magnacom Technologies
> > 140 N. Rt. 303
> > Valley Cottage, NY 10989
> > 845-267-4000 x218
> >
> >
> > -----Original Message-----
> > From: Shawn Bowen [mailto:shawn@bowen.com]
> > Sent: Tuesday, February 13, 2001 2:06 PM
> > To: Ccielab@Groupstudy. Com
> > Subject: RE: Fragmentation Concepts
> >
> >
> > What about a router that's in the middle of the
> network that the stream of
> > packets is going across? How can the middle
> router effectively use an
> > extended access-list if the port number is only
> contained in the first
> > fragment?
> >
> > Thanks,
> > Shawn
> >
> > -----Original Message-----
> > From: Maness, Drew
> [mailto:drew.maness@veritect.com]
> > Sent: Tuesday, February 13, 2001 10:41 AM
> > To: 'Tariq Sharif'; Ccielab@Groupstudy. Com
> > Subject: RE: Fragmentation Concepts
> >
> > The router will need to combine the fragmentations
> or (frames) to form the
> > whole packet.
> >
> > -----Original Message-----
> > From: Tariq Sharif
> [mailto:tariq_sharif@btinternet.com]
> > Sent: Monday, February 12, 2001 1:14 PM
> > To: Tariq Sharif; Priscilla Oppenheimer; David
> Ankers; Chuck Larrieu;
> > Choon, Raymond (); Ccielab@Groupstudy. Com
> > Subject: RE: Fragmentation Concepts
> >
> >
> > Digging a bit deeper...
> >
> > When IP carrying UDP/TCP is fragmented, only 1st
> fragment has layer 4 info
> > (i.e. port numbers). How do access lists handle
> this? Will a router open a
> > port (say 69) for the 1st segment & looking at the
> ID/offset it keeps the
> > port open for the rest of segments (which do not
> carry port #)?
> >
> > Hope you understand what I'm asking.
> >
> > Many thanks & regards.
> >
> > Tariq Sharif
> >
> >
> > -----Original Message-----
> > From: Tariq Sharif
> [mailto:tariq_sharif@btinternet.com]
> > Sent: 07 February 2001 19:06
> > To: Priscilla Oppenheimer; David Ankers; Chuck
> Larrieu; Choon, Raymond
> > (); 'Tariq Sharif'; Ccielab@Groupstudy. Com
> > Subject: RE: Fragmentation Concepts
> >
> >
> > Hi Priscilla
> >
> > Great to have you onboard! Thanks to everyone for
> a mighty discussion!
> >
> > Many thanks & regards.
> >
> > Tariq Sharif
> >
> >
> >
> > -----Original Message-----
> > From: Priscilla Oppenheimer
> [mailto:cilla@priscilla.com]
> > Sent: 07 February 2001 18:37
> > To: David Ankers; Chuck Larrieu; Choon, Raymond
> ();
=== message truncated ===
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:50 GMT-3