Vulnerability Development mailing list archives
Re: Linksys DSL routers and fragments
From: "C. Regis Wilson" <t_pascal () PC4 ZENNET COM>
Date: Thu, 30 Nov 2000 19:08:16 -0800
"C. Regis Wilson" wrote:One interesting thing I found is that the DMZ option does allow exotic protcols but only if you use the external IP of the router as your internal address!! Picture this: external IP=10.0.0.1 internal IP=10.0.0.2 client IP=10.0.0.1. You'd think the packets would get confused (no known router would allow this setup), but it works. And when you set the DMZ host to 10.0.0.1, you can pass IPSec, protocol 57, GRE, etc. etc.When you set up this configuration did you verify that in fact the router was now acting as a bridge or did it just become a switch or hub? Did the router still route packets destined for other hosts besides your machine? I have seen no problem with packet fragements being dropped. Could you please tell me how/what you used to verify this.
I have sniffers on both sides of the Linksys and I see fragments on the outside but not on the inside. So I'm pretty sure they're dropped (yes, I used a hub, not the built-in switched ports :). I am extremely interested to know if it can pass the fragments as I currently have some problems with a UDP protocol that fragments often. Rather than rewrite the protocol, I'd love to hear how fragments get passed. As we know, fragments don't have port information in the headers and thus, most NAT (really PAT) devices won't forward without header information. IOS will, but IOS rocks. As for turning into a bridge... It doesn't quite behave like a regular bridge because of fragment loss (I'd love to be proven wrong), and the inbound packets don't always get routed properly. Not sure about other systems; I haven't played with it.
BTW: I have been able to use _exotic_ protocols since updating to the latest firmware without a problem in any configuration. No need for the DMZ host. Just do it.
I've tried using SKIP (proto 57) and it just doesn't work unless you set it up the way I've said. Speaking of which, the key exchange also has UDP fragment problems that drive me crazy with the Linksys.
All in all, the product is a good buy for the money.
Oh, no doubt about that.
Current thread:
- Linksys DSL routers and fragments C. Regis Wilson (Dec 01)
- <Possible follow-ups>
- Re: Linksys DSL routers and fragments C. Regis Wilson (Dec 01)