Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linksys DSL routers and fragments

From: "C. Regis Wilson" <t_pascal () PC4 ZENNET COM>
Date: Thu, 30 Nov 2000 19:08:16 -0800
"C. Regis Wilson" wrote:

One interesting thing I found is that the DMZ option does allow exotic protcols
but only if you use the external IP of the router as your internal address!!
Picture this:  external IP=10.0.0.1 internal IP=10.0.0.2 client IP=10.0.0.1.
You'd think the packets would get confused (no known router would allow this
setup), but it works.  And when you set the DMZ host to 10.0.0.1, you can pass
IPSec, protocol 57, GRE, etc. etc.



When you set up this configuration did you verify that in fact the router was now
acting as a bridge or did it just become a switch or hub?
Did the router still route packets destined for other hosts besides your machine?
I have seen no problem with packet fragements being dropped. Could you please tell
me how/what you used to verify this.


I have sniffers on both sides of the Linksys and I see fragments on the outside
but not on the inside.  So I'm pretty sure they're dropped (yes, I used a hub,
not the built-in switched ports :).  I am extremely interested to know if it
can pass the fragments as I currently have some problems with a UDP protocol
that fragments often.  Rather than rewrite the protocol, I'd love to hear
how fragments get passed.  As we know, fragments don't have port information
in the headers and thus, most NAT (really PAT) devices won't forward without
header information.  IOS will, but IOS rocks.

As for turning into a bridge...  It doesn't quite behave like a regular bridge
because of fragment loss (I'd love to be proven wrong), and the inbound packets
don't always get routed properly.  Not sure about other systems; I haven't
played with it.


BTW: I have been able to use _exotic_ protocols since updating to the latest
firmware without a problem in any configuration. No need for the DMZ host. Just do
it.


I've tried using SKIP (proto 57) and it just doesn't work unless you set it up
the way I've said.  Speaking of which, the key exchange also has UDP fragment
problems that drive me crazy with the Linksys.


All in all, the product is a good buy for the money.


Oh, no doubt about that.
Previous By Date Next
Previous By Thread Next

Current thread: