[Bro-Dev] ipv6 fragment reassembling

Gregor Maier gregor at majordomus.org
Thu Feb 23 15:20:32 PST 2012

On 2/22/12 17:11 , Seth Hall wrote:
> Here is a great article about ipv6 fragment handling.
> http://blog.si6networks.com/2012/02/ipv6-nids-evasion-and-improvements-in.html
> The article concludes by point out that it looks like the IETF is converging on RFCs that forbid overlapping fragments which should make fragment reassembly much clearer for us.  Current operating systems are of course all over the map in terms of what they actually support of course. :)

I don't get what all this fuss is about. IPv4 has exactly the same issues.

Even with a "standard" way of handling overlaps the IDS has no way of 
knowing if the monitored systems actually implement the standard 
correctly. So you are still in the same position you were before. And if 
it's not fragments that you can still have overlapping TCP segments, 
TTL-tuning, hiding ports in subsequent fragments, etc., etc.)


More information about the bro-dev mailing list