I found one link on cisco website explaining a little about virtual reassembly, what I dont understand is when I enable that option on my tunnel interface why I cannot ping packets larger than 1420 from the other end of the tunnel?? When I disable virtual-reassembly on the tunnel interfaced ping packets go thru fine as large as 1500. Why??
VFR is responsible for detecting and preventing the following types of fragment attacks:
Tiny Fragment AttackIn this type of attack, the attacker makes the fragment size small enough to force Layer 4 (TCP and User Datagram Protocol (UDP)) header fields into the second fragment. Thus, the ACL rules that have been configured for those fields will not match.
VFR drops all tiny fragments, and an alert message such as follows is logged to the syslog server: "VFR-3-TINY_FRAGMENTS."
Overlapping Fragment AttackIn this type of attack, the attacker can overwrite the fragment offset in the noninitial IP fragment packets. When the firewall reassembles the IP fragments, it might create wrong IP packets, causing the memory to overflow or your system to crash.
VFR drops all fragments within a fragment chain if an overlap fragment is detected, and an alert message such as follows is logged to the syslog server: "VFR-3-OVERLAP_FRAGMENT."
Buffer Overflow AttackIn this type of denial-of-service (DoS) attack, the attacker can continuously send a large number of incomplete IP fragments, causing the firewall to lose time and memory while trying to reassemble the fake packets.
To avoid buffer overflow and control memory usage, configure a maximum threshold for the number of IP datagrams that are being reassembled and the number of fragments per datagram. (Both of these parameters can be specified via the ip virtual-reassembly command.)
When the maximum number of datagrams that can be reassembled at any given time is reached, all subsequent fragments are dropped, and an alert message such as the following is logged to the syslog server: "VFR-4_FRAG_TABLE_OVERFLOW."
When the maximum number of fragments per datagram is reached, subsequent fragments will be dropped, and an alert message such as the following is logged to the syslog server: "VFR-4_TOO_MANY_FRAGMENTS."
In addition to configuring the maximum threshold values, each IP datagram is associated with a managed timer. If the IP datagram does not receive all of the fragments within the specified time, the timer will expire and the IP datagram (and all of its fragments) will be dropped.
Run the command below and you will see the parameters configured for each interface
For my case, the GigabitEthernet interface is with the default values, since I only enabled ip virtual-reassembly in.
RT01# show running-config interface gi0/0
interface GigabitEthernet0/0 ip virtual-reassembly in
RT01#show ip virtual-reassembly GigabitEthernet0/0: Virtual Fragment Reassembly (VFR) is ENABLED [in] Concurrent reassemblies (max-reassemblies): 16 Fragments per reassembly (max-fragments): 32 Reassembly timeout (timeout): 3 seconds Drop fragments: OFF
Current reassembly count:0 Current fragment count:0 Total reassembly count:8134 Total reassembly timeout count:0
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...