topic Re: What does ip virtual-reassembly do????? in Network Security

What does ip virtual-reassembly do?????

glenthms — Fri, 21 Feb 2020 08:46:01 GMT

I found one link on cisco website explaining a little about virtual reassembly, what I dont understand is when I enable that option on my tunnel interface why I cannot ping packets larger than 1420 from the other end of the tunnel?? When I disable virtual-reassembly on the tunnel interfaced ping packets go thru fine as large as 1500. Why??

http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a0080455ad0.html

interface Tunnel1

bandwidth 3072

ip address xxx.xxx.xxx.xxx

ip nat inside

ip tcp adjust-mss 1420

ip virtual-reassembly

tunnel source Loopback1

tunnel destination 192.168.1.1

The GRE tunnel is being encrypted locally on the router FYI. And CBAC firewall IOS installed as well.

Re: What does ip virtual-reassembly do?????

spremkumar — Tue, 14 Mar 2006 12:13:44 GMT

VFR is responsible for detecting and preventing the following types of fragment attacks:

•Tiny Fragment Attack—In this type of attack, the attacker makes the fragment size small enough to force Layer 4 (TCP and User Datagram Protocol (UDP)) header fields into the second fragment. Thus, the ACL rules that have been configured for those fields will not match.

VFR drops all tiny fragments, and an alert message such as follows is logged to the syslog server: "VFR-3-TINY_FRAGMENTS."

•Overlapping Fragment Attack—In this type of attack, the attacker can overwrite the fragment offset in the noninitial IP fragment packets. When the firewall reassembles the IP fragments, it might create wrong IP packets, causing the memory to overflow or your system to crash.

VFR drops all fragments within a fragment chain if an overlap fragment is detected, and an alert message such as follows is logged to the syslog server: "VFR-3-OVERLAP_FRAGMENT."

•Buffer Overflow Attack—In this type of denial-of-service (DoS) attack, the attacker can continuously send a large number of incomplete IP fragments, causing the firewall to lose time and memory while trying to reassemble the fake packets.

To avoid buffer overflow and control memory usage, configure a maximum threshold for the number of IP datagrams that are being reassembled and the number of fragments per datagram. (Both of these parameters can be specified via the ip virtual-reassembly command.)

When the maximum number of datagrams that can be reassembled at any given time is reached, all subsequent fragments are dropped, and an alert message such as the following is logged to the syslog server: "VFR-4_FRAG_TABLE_OVERFLOW."

When the maximum number of fragments per datagram is reached, subsequent fragments will be dropped, and an alert message such as the following is logged to the syslog server: "VFR-4_TOO_MANY_FRAGMENTS."

In addition to configuring the maximum threshold values, each IP datagram is associated with a managed timer. If the IP datagram does not receive all of the fragments within the specified time, the timer will expire and the IP datagram (and all of its fragments) will be dropped.

regds

Re: What does ip virtual-reassembly do?????

Velos-itnet — Thu, 24 Aug 2017 22:41:44 GMT

Very nicely done. One thing though , can you specify how many packets are the limit of tresh hold ?

Re: What does ip virtual-reassembly do?????

evertonpsp — Mon, 04 Sep 2017 11:18:24 GMT

Run the command below and you will see the parameters configured for each interface

For my case, the GigabitEthernet interface is with the default values, since I only enabled ip virtual-reassembly in.

RT01# show running-config interface gi0/0

interface GigabitEthernet0/0
ip virtual-reassembly in

RT01#show ip virtual-reassembly
GigabitEthernet0/0:
Virtual Fragment Reassembly (VFR) is ENABLED [in]
Concurrent reassemblies (max-reassemblies): 16
Fragments per reassembly (max-fragments): 32
Reassembly timeout (timeout): 3 seconds
Drop fragments: OFF

Current reassembly count:0
Current fragment count:0
Total reassembly count:8134
Total reassembly timeout count:0

I hope I have helped.

Best regards.