On Mon, 2003-12-22 at 08:27, bill wrote:
Is is safe to assume that 99.9% of the Internet is running on 1500 MTU or higher these days?
define safe.
<GRIN> I agree, this is a bit of a loaded question. I guess by safe I mean "Is anyone aware of a specific link or set of conditions that could cause _legitimate_ non-last fragmented packets on the wire that have a size of less than 1200 bytes". I agree there are bound to be inexperienced users who have shot themselves in the foot and tweaked their personal system lower than this threshold, thus my 99.9% requirement. I had a couple of people e-mail me about Cisco's Pre-fragmentation feature for IPSec. If I understand it correctly (someone please correct me if I'm wrong), its the original datagrams that get fragmented. Thus its the encapsulated payload that will have MF set, not the actual IPSec packet seen on the wire. With this in mind, the exposed IP header would just show it to be a small packet, not a small fragment. Am I off here?
now that you mention it... :) btw, what will your IDS/firewall do when presented w/ a 9k mtu?
Depends on the setup. I've actually been running this as a set of IDS rules for a few years and have detected a few 0-day events this way. I have not hit any false positives that I'm aware of, but then again we're only talking my small view of the Internet. Thus my question to the group. If anyone is going to know the answer its this crew. :) I'm looking to move the rules into the firewall/IPS realm, but want to be sure before I do as now we are talking blocking the traffic rather than just recording it. First implementation would be a set of iptables rules, with pf shortly after. I have not seen any commercial firewalls with this type of capability, but I have not had a chance to focus on this aspect too deeply as of yet. Checkpoint has possibilities, but implementation would probably be beyond the typical point and click admin. Thanks for all the great feedback! C