Subject: Re: fragmentation attack
To: Darren Reed <darrenr@reed.wattle.id.au>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-net
Date: 04/25/2002 19:45:32
In message <200204260203.MAA05223@avalon.reed.wattle.id.au>
Darren Reed writes:

>In some email I received from David Laight, sie wrote:
>[...]
>> Also since an interface is required to have an mtu of at least
>> (about) 512, anything with stupid fragmentation can be safely
>> dumped!  - now detect stupid :-)
>
>No, it's not.  You're confusing this with the minimum size the IP
>stack must be able to reassemble.  Go check bugtraq archives for
>discussions about fragmentation attacks - there's a lot of detail
>there, including references to RFCs.  More than one of them has
>involved research & testing by yours truely.

Darren is 100% correct.  See rfc879; or (for a more recent twist
rfc 1191), for an authoritative statement.

Oh, and the magic number is 576 bytes for IP, and 536 for TCP, not
512.  Steve chose 1280-odd for ipv6, to guarantee a useful
application-level payload of 1024 bytes.  (Metricom Ricochet was
the sole link-level where this was a serious problem.)