[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using por numbers in selectors

To: "Derrell D. Piper" <ddp@network-alchemy.com>
Subject: Re: using por numbers in selectors
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Date: Wed, 23 Jun 1999 14:59:58 -0400
cc: Paul Koning <pkoning@xedia.com>, dharkins@network-alchemy.com, ipsec@lists.tislabs.com
In-Reply-To: Message from "Derrell D. Piper" <ddp@network-alchemy.com> of "Wed, 23 Jun 1999 10:44:02 PDT." <199906231744.KAA02470@gallium.network-alchemy.com>
Sender: owner-ipsec@lists.tislabs.com

> Fine, the first fragment containing the upper-level protocol header may have
> gone a different route.  However, if you let the rest of the
> fragments through as a result, I'd argue you have a security hole.

I don't think this is a major issue.

If you're allowing fragments through *at all*, and if you're allowing
packets through based on transport protocol and port number, that
implies a minimal level of trust in the end systems inside the
firewall (to correctly implement reassembly, and to correctly
implement services on the ports being let through).

					- Bill

Prev by Date: RE: IPCP implementations
Next by Date: Re: using por numbers in selectors
Prev by thread: Re: using por numbers in selectors
Next by thread: RE: using por numbers in selectors
Index(es):
- Main
- Thread