Table of ContentsAccess Control Lists and IP Fragments.1 Document ID: 8014 .1Introduction.1Types of ACL Entries.2ACL Rules Flowchart.3How Packets Can Match an ACL.4Example 1.4Example 2.4fragments Keyword Scenarios.5Scenario 1 .5Scenario 2 .6Related Information.9Cisco Access Control Lists and IP FragmentsiAccess Control Lists and IP FragmentsDocument ID: 8014Introduction Types of ACL Entries ACL Rules Flowchart How Packets Can Match an ACLExample 1Example 2 fragments Keyword ScenariosScenario 1Scenario 2 Related InformationIntroductionThis White Paper explains the different kinds of Access Control List (ACL) entries and what happens when different kinds of packets encounter these various entries. ACLs are used to block IP packets from being forwarded by a router.RFC 1858 covers security considerations for IP fragment filtering and highlights two attacks on hosts that involve IP fragments of TCP packets, the Tiny Fragment Attack and the Overlapping Fragment Attack. Blocking these attacks is desirable because they can compromise a host, or tie up all of its internal resources.RFC 1858 also describes two methods of defending against these attacks, the direct and the indirect. In the direct method, initial fragments that are smaller than a minimum length are discarded. The indirect method involves discarding the second fragment of a fragment set, if it starts 8 bytes into the original IP datagram. Please see RFC 1858 for more details.Traditionally, packet filters like ACLs are applied to the nonfragments and the initial fragment of an IP packet because they contain both Layer 3 and 4 information that the ACLs can match against for a permit or deny decision. Noninitial fragments are traditionally allowed through the ACL because they can be blocked based on Layer 3 information in the packets; however, because these packets do not contain Layer 4 information, they do not match the Layer 4 information in the ACL entry, if it exists. Allowing the noninitial fragments of an IP datagram through is acceptable because the host receiving the fragments is not able to reassemble the original IP datagram without the initial fragment.Firewalls can also be used to block packets by maintaining a table of packet fragments indexed by source and destination IP address, protocol, and IP ID. Both the Cisco PIX Firewall and the Cisco IOS Firewall can filter all the fragments of a particular flow by maintaining this table of information, but it is too expensive to do this on a router for basic ACL functionality. A firewalls primary job is to block packets, and its secondary role is to route packets; a routers primary job is to route packets, and its secondary role is to block them.Two changes were made in Cisco IOS Software Releases 12.1(2) and 12.0(11) to address some security issues surrounding TCP fragments. The indirect method, as described in RFC 1858 , was implemented as part of the standard TCP/IP input packet sanity checking. Changes were also made to ACL functionality with respect to noninitial fragments.Cisco Access Control Lists and IP FragmentsTypes of ACL EntriesThere are six different types of ACL lines, and each has a consequence if a packet does or does not match. In the following list, FO = 0 indicates a nonfragment or an initial fragment in a TCP flow, FO 0 indicates that the packet is a noninitial fragment, L3 means