What does ip virtual-reassembly do?????

Unanswered Question
Mar 12th, 2006

I found one link on cisco website explaining a little about virtual reassembly, what I dont understand is when I enable that option on my tunnel interface why I cannot ping packets larger than 1420 from the other end of the tunnel?? When I disable virtual-reassembly on the tunnel interfaced ping packets go thru fine as large as 1500. Why??

http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a0080455ad0.html

interface Tunnel1

bandwidth 3072

ip address xxx.xxx.xxx.xxx

ip nat inside

ip tcp adjust-mss 1420

ip virtual-reassembly

tunnel source Loopback1

tunnel destination 192.168.1.1

The GRE tunnel is being encrypted locally on the router FYI. And CBAC firewall IOS installed as well.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
spremkumar Tue, 03/14/2006 - 04:13

hi

VFR is responsible for detecting and preventing the following types of fragment attacks:

•Tiny Fragment Attack—In this type of attack, the attacker makes the fragment size small enough to force Layer 4 (TCP and User Datagram Protocol (UDP)) header fields into the second fragment. Thus, the ACL rules that have been configured for those fields will not match.

VFR drops all tiny fragments, and an alert message such as follows is logged to the syslog server: "VFR-3-TINY_FRAGMENTS."

•Overlapping Fragment Attack—In this type of attack, the attacker can overwrite the fragment offset in the noninitial IP fragment packets. When the firewall reassembles the IP fragments, it might create wrong IP packets, causing the memory to overflow or your system to crash.

VFR drops all fragments within a fragment chain if an overlap fragment is detected, and an alert message such as follows is logged to the syslog server: "VFR-3-OVERLAP_FRAGMENT."

•Buffer Overflow Attack—In this type of denial-of-service (DoS) attack, the attacker can continuously send a large number of incomplete IP fragments, causing the firewall to lose time and memory while trying to reassemble the fake packets.

To avoid buffer overflow and control memory usage, configure a maximum threshold for the number of IP datagrams that are being reassembled and the number of fragments per datagram. (Both of these parameters can be specified via the ip virtual-reassembly command.)

When the maximum number of datagrams that can be reassembled at any given time is reached, all subsequent fragments are dropped, and an alert message such as the following is logged to the syslog server: "VFR-4_FRAG_TABLE_OVERFLOW."

When the maximum number of fragments per datagram is reached, subsequent fragments will be dropped, and an alert message such as the following is logged to the syslog server: "VFR-4_TOO_MANY_FRAGMENTS."

In addition to configuring the maximum threshold values, each IP datagram is associated with a managed timer. If the IP datagram does not receive all of the fragments within the specified time, the timer will expire and the IP datagram (and all of its fragments) will be dropped.

regds

Actions

Login or Register to take actions

This Discussion

Posted March 12, 2006 at 7:36 AM
Stats:
Replies:1 Avg. Rating:5
Views:32052 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard