IPv6 Fragmentation
Kristof Provost
kp at FreeBSD.org
Sun Feb 21 18:10:35 UTC 2021
On 21 Feb 2021, at 0:02, Doug Hardie wrote:
>> On 20 February 2021, at 04:13, Kristof Provost <kp at FreeBSD.org>
>> wrote:
>>
>> If you don’t have scrub fragment reassemble set then you have to
>> include something like pass log inet6 proto ipv6-frag all to pass
>> fragmented packets (assuming you block by default).
>>
>> You really, really want scrub fragment reassemble because otherwise
>> your firewall can be trivially bypassed, but you need one of the two
>> for fragmented packets to work.
>>
>
> I went with reassembly as it was easy to configure. However, is there
> some place where the trivial bypassing is addressed in detail? I
> would like to understand that.
>
Essentially this:
https://en.wikipedia.org/wiki/IP_fragmentation_attack#Fragmentation_for_evasion
The attacker breaks up the packet into fragments so that the real upper
layer header (e.g. TCP) is not in the first packet. All the firewall
sees is a fragmentation header and a few random bytes. Not enough to,
for example, get the port number. So the firewall allows it through
(‘pass log inet6 proto ipv6-frag’), and your policy to deny traffic
to port 22 has not been applied.
Best regards,
Kristof
More information about the freebsd-net
mailing list