USADOTGOV.NET Root Problems?
Tony Finch
dot at dotat.at
Sat Jul 24 14:58:17 UTC 2010
On Sat, 24 Jul 2010, Warren Kumari wrote:
> On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote:
> >
> > Why would any inspection policy not allow fragmented UDP packets?
> > There's nothing wrong with that.
>
> Because it's "hard".... The issue is that then you need to buffer
> fragments until you get a full packet -- which leaves you open to
> attacks that send a bunch of fragments but leave one of them out.
>
> Vendors like to avoid reassembling fragments by default, because it
> makes their performance numbers better....
The Cisco PIX/ASA has horrible bugs in its SMTP inspection code, some also
related to packet boundaries. http://fanf.livejournal.com/102206.html
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
FORTIES CROMARTY FORTH TYNE DOGGER: MAINLY SOUTH OR SOUTHWEST 3 OR 4,
OCCASIONALLY 5 LATER. SLIGHT OR MODERATE. RAIN OR SHOWERS. MODERATE OR GOOD.
More information about the bind-users
mailing list