Proposals for Port Filtering

• Allow-all-subsequent-packets

  Don’t perform UDP/TCP port filtering on non-initial fragments
  
  If initial fragment dropped, other IP fragments almost always ignored

• Drop all TCP fragments with “offset 1”

  Prevent TCP tiny-gram, port overwrite attacks
  
  Add reference to RFC 1858
  Put into “Security Considerations”?

Previous slide

Next slide

Back to first slide

View graphic version