Firewall Wizards mailing list archives

Re: An ethernet frame with two IP packets inside?

From: Robert Graham <robert_david_graham () yahoo com>
Date: Thu, 29 Oct 1998 11:26:29 -0800 (PST)


You could construct such a packet, but it would be meaningless. Put a
sniffer on the wire and see why.

Since Ethernet has a minimum payload size of 46 bytes, and the minimum
IP packet is 20 bytes (well, minimum useful packet is 28 if you do an
empty ping). Thus, any bytes after the end of your first IP packet
will be treated as padding by all stacks. Now, stacks might make
assumptions about the size of padding so you might be able to crash
them just by appending a huge number of bytes (similarly, some
products crash if they receive Ethernet frames beyond the 1.5k max
size).

The key point is that nobody will make the assumption that the bytes
after the end of the first packet should be treated as anything other
than padding, much less an IP header. Remember, we humans may know
that there is a second IP header (the first byte being 0x45 is a dead
giveaway for IP), but protocol stacks don't use AI. They just follow
the rules: 0x0800 at offset 12 means IP comes next. The IP length
gives the length of the IP packet. Anything else is padding/garbage
and should be ignored.





---Keller <keller () wiesbaden netsurf de> wrote:


Hi gurus and beardy wizards, 

what happens if one ethernet frame contains two IP packets?

I know, it *shouldn't* happen, but I could construct one, right?
How will different tcpip stacks deal with the second IP packet?
Could it slip through the filtering rules on some routers?
Could it slip past static pattern matching firewalls (FW-1?) ?

Any ideas or pointers are greatly appreciated.. 

Cheers!

Stefan Keller

p.s.:
I'm aware that it would imply that the attacker sits directly 
in front of the router/firewall server/whatever..
Then again, he could sit on a (compromised) Linux web server 
with .. let's say SPAK.. downloaded to that machine.



_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com

Current thread:

Re: An ethernet frame with two IP packets inside? Ryan Russell (Oct 29)
- <Possible follow-ups>
- Re: An ethernet frame with two IP packets inside? Steven M. Bellovin (Oct 29)
- Re: An ethernet frame with two IP packets inside? Robert Graham (Oct 29)