168
Configuring IP virtual fragment reassembly
To make sure fragments arrive at a service module in order, the IP virtual fragment reassembly feature
virtually reassembles the fragments of a datagram through sequencing and caching. The IP virtual
fragment reassembly feature also prevents some service modules (such as IPsec, NAT, and firewall) from
processing packet fragments that do not arrive in order.
For security purposes, the IP virtual fragment reassembly feature can detect the following types of
fragment attacks, and discard the attack fragments:
•
Tiny fragment attack
—If the first fragment of an incoming datagram is smaller than the Layer 4
(such as TCP and UDP) header and the Layer 4 header is placed into the second fragment, a tiny
fragment attack occurs.
•
Overlapping
fragment
attack
—If two consecutive incoming fragments are identical or overlap
each other, an overlapping fragment attack occurs.
•
Buffer overflow
attack
—If the number of concurrent reassemblies or the number of fragments per
datagram exceeds the upper limits, a buffer overflow attack occurs.
Configuration guidelines
•
The IP virtual fragment reassembly feature only applies to incoming packets on an interface.
•
The IP virtual fragment reassembly feature does not support load sharing. The fragments of an IP
datagram cannot arrive through different interfaces.
Configuration procedure
To configure IP virtual fragment reassembly:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter interface view.
interface
interface-type interface-number
N/A
3.
Enable IP virtual fragment
reassembly.
ip virtual-reassembly
[
drop-fragments |
max-fragments
number
| max-reassemblies
number
| timeout
seconds
] *
By default, the feature is
disabled.
Configuration example
Network requirements
As shown in
, configure devices as follows:
•
Router A connects to Host and Router B.
•
NAT is enabled on Ethernet 1/2 of Router A.
•
Configure IP virtual fragment reassembly on Ethernet 1/2 of Router A.
Содержание MSR 2600 Series
Страница 6: ...We appreciate your comments...
Страница 33: ...18 AC vlan1 quit...
Страница 113: ...98 Figure 41 Creating a record d On the page that appears select IPv6 Host AAAA as the resource record type...
Страница 118: ...103...
Страница 168: ...153 H323 Enabled ICMP ERROR Enabled...
Страница 170: ...155 Task Command Display FIB entries display fib vpn instance vpn instance name ip address mask mask length...