O'Reilly logo

Network Security Principles and Practices by Saadat Malik

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

IP Fragment Handling by ACLs

IP fragments pose a special challenge to ACL processing on routers. IP fragments contain limited information, making it difficult for ACLs to process them properly. In addition, they can be used to stage certain types of attacks. This section looks at how Cisco's implementation of ACLs deals with IP fragmentation-based issues.

Filtering IP Fragments

Noninitial fragments do not contain Layer 4 and above information. For most legitimate packets, this information is contained in the packet's initial fragment (fragment offset [FO] = 0 for the initial fragment). Therefore, it is impossible for access lists set up to do filtering on Layer 4 information, such as TCP port numbers, to figure out whether a fragment that contains ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required