From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Tue Sep 05 2006 - 15:53:00 ART
Hi Chris,
Maybe I do not understand well your requirement; please can you elaborate
more the question ??
I assume that you meant to say stop all Fragments, so using this topology
R1 ---- f0/1 - Sw1 - f0/5 ------- R3 -- Lo0
R1#ping 151.1.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 151.1.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R1#
BB1-TS#7
[Resuming connection 7 to sw1 ... ]
Sw1#show ip access-list
Extended IP access list 123
10 deny ip any any log fragments
20 permit ip any any (3 matches)
Sw1#
BB1-TS#1
[Resuming connection 1 to r1 ... ]
R1#ping 151.1.3.3 size 1600
Type escape sequence to abort.
Sending 5, 1600-byte ICMP Echos to 151.1.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#
BB1-TS#7
[Resuming connection 7 to sw1 ... ]
14:47:
Sw1#show access-list
Extended IP access list 123
10 deny ip any any log fragments (5 matches)
20 permit ip any any (7 matches)
Sw1#
BB1-TS#1
[Resuming connection 1 to r1 ... ]
R1#deb ip pa de 125
IP packet debugging is on (detailed) for access list 125
R1#ping 151.1.3.3 size 1504 rep 1
Type escape sequence to abort.
Sending 1, 1504-byte ICMP Echos to 151.1.3.3, timeout is 2 seconds:
*Mar 2 04:51:31.682: IP: tableid=0, s=150.1.17.1 (local), d=151.1.3.3
(Ethernet0/0), routed via FIB
*Mar 2 04:51:31.682: IP: s=150.1.17.1 (local), d=151.1.3.3 (Ethernet0/0),
len 1504, sending
*Mar 2 04:51:31.682: ICMP type=8, code=0
*Mar 2 04:51:31.686: IP: s=150.1.17.1 (local), d=151.1.3.3 (Ethernet0/0),
len 1500, sending fragment
*Mar 2 04:51:31.686: IP Fragment, Ident = 59, fragment offset = 0
*Mar 2 04:51:31.686: ICMP type=8, code=0
*Mar 2 04:51:31.686: IP: s=150.1.17.1 (local), d=151.1.3.3 (Ethernet0/0),
len 24, sending last fragment
*Mar 2 04:51:31.686: IP Fragment, Ident = 59, fragment offset = 1480.
Success rate is 0 percent (0/1) <<<<<<< NO RESPONSE !!!
R1#ping 151.1.3.3 size 1204 rep 1
Type escape sequence to abort.
Sending 1, 1204-byte ICMP Echos to 151.1.3.3, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 9/9/9 ms
R1#
*Mar 2 04:51:41.286: IP: tableid=0, s=150.1.17.1 (local), d=151.1.3.3
(Ethernet0/0), routed via FIB
*Mar 2 04:51:41.286: IP: s=150.1.17.1 (local), d=151.1.3.3 (Ethernet0/0),
len 1204, sending
*Mar 2 04:51:41.286: ICMP type=8, code=0
_____
De: Chris Broadway [mailto:midatlanticnet@gmail.com]
Enviado el: Martes, 05 de Septiembre de 2006 02:16 p.m.
Para: Victor Cappuccio
CC: Jeff Ryan; Cisco certification
Asunto: Re: fragments Keyword Scenarios
The two links to the past conversations did not provide a definite answer.
Kinda like now. The RFC gave great "in the weeds" information about
fragment attacks. But, the RFC also gave a "real world" perspective on
fragment attacks and not a CCIE LAB perspective. For example, the RFC
states:
"Since "interesting" packet information is contained in the
headers at the beginning, filters are generally applied only to the
first fragment. Non-first fragments are passed without filtering,
because it will be impossible for the destination host to complete
reassembly of the packet if the first fragment is missing, and
therefore the entire packet will be discarded."
This is not meeting the requirement of the original task in this discussion,
to stop all fragments. But it does leave me with the same confusing
question...how do you stop initial fragments?
-Broadway
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:39 ART