Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: An ethernet frame with two IP packets

Re: An ethernet frame with two IP packets inside?

Gigi Sullivan (sullivanseclab.com)
Thu, 29 Oct 1998 14:26:40 +0100 (CET)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Perry E. Metzger: "Re: An ethernet frame with two IP packets inside?"
Previous message: Jeremy Epstein: "Re: Trusted Unices Aren't?"
Next in thread: Perry E. Metzger: "Re: An ethernet frame with two IP packets inside?"

Hello there :)

On Sat, 24 Oct 1998, Keller wrote:

> Date: Sat, 24 Oct 1998 01:51:39 +0200
> From: Keller <kellerwiesbaden.netsurf.de>
> To: "firewall-wizardsnfr.net" <firewall-wizardsnfr.net>
> Subject: An ethernet frame with two IP packets inside?
>
> Hi gurus and beardy wizards,
>
> what happens if one ethernet frame contains two IP packets?
>
> I know, it *shouldn't* happen, but I could construct one, right?

Yes, and obviously it's not hard to do it.

> How will different tcpip stacks deal with the second IP packet?

Well, if you build two ip packet into one ethernet frame, it *shouldn't*
be a problem. I.e. when the IP layer has to multiplex the incoming
datagram to see to which layer it has to pass the datagram to, it simply
check out the ip_p field and *I guess* that if it finds IPPROTO_IP it
should drops the packet.

Er .. this is what I think. I've never looked at the code yet.
And it should be interesting imho :)

>
> Could it slip through the filtering rules on some
> routers?
> Could it slip past static pattern matching firewalls (FW-1?)
> ?
>
> Any ideas or pointers are greatly appreciated..
>
> Cheers!
>
> Stefan Keller
>
> p.s.:
> I'm aware that it would imply that the attacker sits directly
> in front of the router/firewall server/whatever..
> Then again, he could sit on a (compromised) Linux web server
> with .. let's say SPAK.. downloaded to that machine.
>
>

Cheers :)

Bye bye

-- gg sullivan

--
Lorenzo Cavallaro
Intesis SECURITY LAB            Phone: +39-2-671563.1
Via Settembrini, 35             Fax: +39-2-66981953
I-20124 Milano  ITALY           Email: sullivanseclab.com

Next message: Perry E. Metzger: "Re: An ethernet frame with two IP packets inside?"
Previous message: Jeremy Epstein: "Re: Trusted Unices Aren't?"
Next in thread: Perry E. Metzger: "Re: An ethernet frame with two IP packets inside?"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:57 CDT