Cisco ACLs and IP Fragments

From: Jeremy (jeremy19@cox.net)
Date: Wed Mar 02 2005 - 13:43:01 GMT-3

Next message: Dennis J. Hartmann: "RE: LLQ for eigrp"
Previous message: joshua lauer: "Re: Redrawing the Diagram."
Next in thread: Alexander Arsenyev (GU/ETL): "RE: Cisco ACLs and IP Fragments"
Maybe reply: Alexander Arsenyev (GU/ETL): "RE: Cisco ACLs and IP Fragments"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have been curious about this scenario, and would like to know if anyone out on the list can clarify this scenario for me?

ACL ENTRY: access-list 100 permit tcp any any established

Based on the ACL entry above, if two overlapping fragments were sent as indicated below, would the two fragments pass the ACL entry and be reassembled as a TCP SYN over port 80, causing the server to respond with a SYN/ACK? At this point we will have to assume that the host's IP stack will, in fact reassemble the packets in order, not favoring older fragments, and that egress filtering is not blocking the "return" traffic.

From http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml, the ACL entry should behave as follows:

Permit ACL line with L3 and L4 information
1) If a packet's L3 and L4 information matches the ACL line and FO = 0, the packet is permitted.
2) If a packet's L3 information matches the ACL line and FO > 0, the packet is permitted.

FRAGMENT 1

TCP HEADER
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 1026 | 80 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number = 0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | | |A| | | | | |
| Offset| Reserved | |C| | | | | Window |
| | | |K| | | | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                             .
                             .
                             .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (Other data) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

FRAGMENT 2

TCP HEADER
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | | | | | |S| | |
| Offset| Reserved | | | | |Y| | Window |
| | | | | | |N| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                             .
                             .
                             .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (Other data) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Thanks!

-Jeremy

Next message: Dennis J. Hartmann: "RE: LLQ for eigrp"
Previous message: joshua lauer: "Re: Redrawing the Diagram."
Next in thread: Alexander Arsenyev (GU/ETL): "RE: Cisco ACLs and IP Fragments"
Maybe reply: Alexander Arsenyev (GU/ETL): "RE: Cisco ACLs and IP Fragments"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:38 GMT-3