Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: An ethernet frame with two IP packets inside?

From: cbrenton <cbrenton () sover net>
Date: Thu, 29 Oct 1998 07:58:07 -0500 (EST)
On Sat, 24 Oct 1998, Keller wrote:


what happens if one ethernet frame contains two IP packets?


There are actually quite a few instances where this is useful. Check out
IP type 4 (IP over IP), IP type 47 (GRE) and IP type 18 (multiplexing).
These are the most popular.


I know, it *shouldn't* happen, but I could construct one, right?


See above. ;)


How will different tcpip stacks deal with the second IP packet?
Could it slip through the filtering rules on some routers?
Could it slip past static pattern matching firewalls (FW-1?) ?


Well each of the above has a unique type field which would be read by the
filtering device. This has to be processed in order to apply the proper
rules (for example TCP is type 6 and UDP is type 17). The filtering device
should drop any traffic which does not have a known type value.

If you are talking about doing something like encapsulating a TCP/IP
packet within another TCP/IP and not correctly identify the type field in
the first header, the correct response would be to handle the second
packet as payload which means the info would be ignored by the app
layer. I'm not saying 100% of the IP stacks you encounter will do this,
simply that this would be the expected action.

Your actual mileage may vary... ;)

Hope this helps,
Chris
-- 
**************************************
cbrenton () sover net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529
* Mastering Network Security
http://www.amazon.com/exec/obidos/ISBN%3D0782123430/002-0346046-8151850
Previous By Date Next
Previous By Thread Next

Current thread: