ipv6 fragment reassembling

Seth_Hall3 · February 23, 2012, 1:11am

Here is a great article about ipv6 fragment handling.

http://blog.si6networks.com/2012/02/ipv6-nids-evasion-and-improvements-in.html

The article concludes by point out that it looks like the IETF is converging on RFCs that forbid overlapping fragments which should make fragment reassembly much clearer for us. Current operating systems are of course all over the map in terms of what they actually support of course.

.Seth

Gregor_Maier2 · February 23, 2012, 11:20pm

I don't get what all this fuss is about. IPv4 has exactly the same issues.

Even with a "standard" way of handling overlaps the IDS has no way of knowing if the monitored systems actually implement the standard correctly. So you are still in the same position you were before. And if it's not fragments that you can still have overlapping TCP segments, TTL-tuning, hiding ports in subsequent fragments, etc., etc.)

cu
Gregor

robin · February 24, 2012, 7:03pm

Yeah, that's right. In particular given that this is a recent change.
What we could see is if overlapping fragements are rare enough that
it's worth alarming on.

Robin

Topic		Replies	Views
Overlaps Question Zeek	2	45	May 6, 2022
IP6 addresses Development development	10	80	May 6, 2022
[JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity Development development	2	60	May 6, 2022
[Bro-Commits] [git/bro] topic/jsiwek/bit-1246: Fix issue w/ TCP reassembler not delivering some segments. (f1cef9d) Development development	3	60	May 6, 2022
IPv6 and software.log records Development development	2	66	May 6, 2022

ipv6 fragment reassembling

Related Topics