Re: An ethernet frame with two IP packets inside?

[Gigi Sullivan <sullivan () seclab com>]

Hello there :)

On Sat, 24 Oct 1998, Keller wrote:

> Date: Sat, 24 Oct 1998 01:51:39 +0200
> From: Keller <keller () wiesbaden netsurf de>
> To: "firewall-wizards () nfr net" <firewall-wizards () nfr net>
> Subject: An ethernet frame with two IP packets inside?
>
> Hi gurus and beardy wizards, 
>
> what happens if one ethernet frame contains two IP packets?
>
> I know, it *shouldn't* happen, but I could construct one, right?

Yes, and obviously it's not hard to do it.

> How will different tcpip stacks deal with the second IP packet?

Well, if you build two ip packet into one ethernet frame, it *shouldn't*
be a problem. I.e. when the IP layer has to multiplex the incoming
datagram to see to which layer it has to pass the datagram to, it simply
check out the ip_p field and *I guess* that if it finds IPPROTO_IP it
should drops the packet.

Er .. this is what I think. I've never looked at the code yet.
And it should be interesting imho :)


> Could it slip through the filtering rules on some
> routers? 
> Could it slip past static pattern matching firewalls (FW-1?)
> ?
>
> Any ideas or pointers are greatly appreciated.. 
>
> Cheers!
>
> Stefan Keller
>
> p.s.:
> I'm aware that it would imply that the attacker sits directly 
> in front of the router/firewall server/whatever..
> Then again, he could sit on a (compromised) Linux web server 
> with .. let's say SPAK.. downloaded to that machine.

Cheers:)

Bye bye


                        -- gg sullivan


--
Lorenzo Cavallaro
Intesis SECURITY LAB            Phone: +39-2-671563.1
Via Settembrini, 35             Fax: +39-2-66981953
I-20124 Milano  ITALY           Email: sullivan () seclab com