Re: the fragment keyword

From: Petr Lapukhov (petrsoft@gmail.com)
Date: Sun May 28 2006 - 03:57:05 ART

• Next message: lim es: "ip redistribution vs ipv6 redistribution"
• Previous message: Victor Cappuccio: "RE: the fragment keyword"
• Maybe in reply to: Victor Cappuccio: "the fragment keyword"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Victor,

Usually, a router does not need any state information - it does not
reassemble
packet fragments (well, at least if it does not have that "virtual
reassembly"
enabled). Actually, you're right - some state infomation may be required for
NAT
ALG :)

HTH
Petr

2006/5/28, Victor Cappuccio <cvictor@protokolgroup.com>:
>
> Thanks Petr, but I Still think that some information must be stored in
> order to know from what traffic Flow belongs a stream of fragmented packets
>
>
>
> Victor.
>
>
>
>
>
>
> ------------------------------
>
> *De:* Petr Lapukhov [mailto:petrsoft@gmail.com]
> *Enviado el:* Domingo, 28 de Mayo de 2006 02:00 a.m.
> *Para:* Victor Cappuccio
> *CC:* GroupStudy CCIE
> *Asunto:* Re: the fragment keyword
>
>
>
> Victor,
>
> the best thing on "fragments" i found is
>
> http://www.cisco.com/warp/public/105/acl_wp.html
>
> Basically, IOS does NOT keep any state information. You
> need CBAC to do that :). Fragments keyword simply istructs to
> check if we have a "non-initial" (frag_offset>0) fragment.
>
> HTH
> Petr
>
> 2006/5/28, Victor Cappuccio <cvictor@protokolgroup.com>:
>
> Hello
>
> Please sorry this dummy question but I wish to know if the router, when a
> initial fragment goes though, if it creates a State Table kind of the
> Originator / Flag and Flag Offset of the sender?
>
> Assuming this configuration
>
> access-list 101 deny ip any host X.X.X.1 fragments
> access-list 101 permit tcp any host X.X.X.1 eq 25
> access-list 101 deny ip any any
>
> Ok Suppose the Initial Fragment (containing l4 information), has passed
> (2nd
> Access-List), but how the router how's exactly when the following pkts are
> from the same flow and sent to the same port number in L4 ?
>
> I understand that in this new IOS Versions the fragment keyword in the ACL
>
> would also force the IOS to check the second access-list for noninitial
> and
> initial fragments, but is there something stored in memory to check for
> Originator / Flag and Flag Offset?
>
> What if a fragment of a big chuck comes out of order?
>
> Is there anyway to see this?
>
> Thanks
> Victor.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: lim es: "ip redistribution vs ipv6 redistribution"
• Previous message: Victor Cappuccio: "RE: the fragment keyword"
• Maybe in reply to: Victor Cappuccio: "the fragment keyword"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART