RE: fragments Keyword Scenarios

From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Tue Sep 05 2006 - 14:20:13 ART

• Next message: Vikram Dadlaney: "Re: Weird Traceroute Behaviour...Need assistance"
• Previous message: Venkataramanaiah.R: "Re: CE500 RSTP support"
• Maybe in reply to: Jeff Ryan: "fragments Keyword Scenarios"
• Next in thread: Chris Broadway: "Re: fragments Keyword Scenarios"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Chris and Jeff

RFC 1858 discusses security issues related to fragments, is a very easy RFC
to read even for me that I'm not an Native English Specking Person.

Also There is an excellent thread about this between Bob Sinclair,Tim and
others http://www.groupstudy.com/archives/ccielab/200505/msg00483.html
http://groupstudy.com/archives/ccielab/200503/msg00266.html

Hope that helps for something
Victor.-

-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de Chris
Broadway
Enviado el: Martes, 05 de Septiembre de 2006 11:52 a.m.
Para: Jeff Ryan
CC: Cisco certification
Asunto: Re: fragments Keyword Scenarios

Group,

After reading the link below on fragments I have a question too. Scenerio
#1 says that the ACL will stop all fragments. I don't think this is so, and
I am looking for some opinions. The first line will stop *non-initial
fragments* only. The second line will permit all non-fragments and *initial
fragments*. Because the second line permits initial fragments, the Scenerio
cannot say "ALL FRAGMENTS" are blocked. What say you all.

-Broadway

On 9/4/06, Jeff Ryan <jeffryanwn@hotmail.com> wrote:
>
> http://www.cisco.com/warp/public/105/acl_wp.html
>
> In looking at this link, specifically Scenario #1 ACL 101 example it
> states
> that this would permit only non-fragmented HTTP flows to the server. Of
> course, the deny statement would kill any IGP or EGP connection unless we
> specifically permitted it...
>
> In the diagram in this link if I had a bgp tcp session with a router out
> this
> link:
>
> access-list 101 deny ip any host 171.16.23.1 fragments
> access-list 101 permit tcp any host 171.16.23.1 eq 80
> access-list 101 permit tcp any any eq bgp
> access-list 101 permit tcp any eq bgp any
> access-list 101 deny ip any any
> !
> int s0 (internet link)
> ip access-group 101 in
> !
>
>
> Any comments?
>
> Jeff
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Vikram Dadlaney: "Re: Weird Traceroute Behaviour...Need assistance"
• Previous message: Venkataramanaiah.R: "Re: CE500 RSTP support"
• Maybe in reply to: Jeff Ryan: "fragments Keyword Scenarios"
• Next in thread: Chris Broadway: "Re: fragments Keyword Scenarios"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:39 ART