Virtual Fragmentation Reassembly
ErrorMessage : Error while constructing the Hinav

null
Downloads: This chapterpdf (PDF - 165.0KB) | Feedback

Virtual Fragmentation Reassembly

Table Of Contents

Virtual Fragmentation Reassembly

Finding Feature Information

Contents

Restrictions for Virtual Fragmentation Reassembly

Performance Impact

VFR Configuration Restriction

Information About Virtual Fragmentation Reassembly

VFR Detection of Fragment Attacks

VFR Enablement

VFR on Outbound Interfaces

How to Configure Virtual Fragmentation Reassembly

Configuring VFR

Enabling VFR Manually on Outbound Interface Traffic

Troubleshooting Tips

Configuration Examples for Fragmentation Reassembly

Example: Configuring VFR on Outbound Interface Traffic

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Virtual Fragmentation Reassembly


Virtual Fragmentation Reassembly


First Published: November 24, 2010
Last Updated: November 24, 2010

Virtual fragmentation reassembly (VFR) enables the Cisco IOS Firewall to create the appropriate dynamic access control lists (ACLs) to protect the network from various fragmentation attacks.

Without VFR, the Cisco IOS Firewall—specifically Context-based Access Control (CBAC) and the Intrusion Detection System (IDS)—cannot identify the contents of the IP fragments nor can it gather port information from the fragment. These inabilities allow the fragments to pass through the network without being examined or without dynamic ACL creation.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Virtual Fragmentation Reassembly" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Restrictions for Virtual Fragmentation Reassembly

Information About Virtual Fragmentation Reassembly

How to Configure Virtual Fragmentation Reassembly

Configuration Examples for Fragmentation Reassembly

Additional References

Feature Information for Virtual Fragmentation Reassembly

Restrictions for Virtual Fragmentation Reassembly

Performance Impact

VFR causes a performance impact on the basis of functions such as packet copying, fragment validation, and fragment reorder. This performance impact varies depending on the number of concurrent IP datagrams that are being reassembled.

VFR Configuration Restriction

VFR should not be enabled on a router that is placed on an asymmetric path. The reassembly process requires all of the fragments within an IP datagram. Routers placed in the asymmetric path may not receive all of the fragments, so the fragment reassembly will fail.

Information About Virtual Fragmentation Reassembly

VFR Detection of Fragment Attacks

VFR Enablement

VFR on Outbound Interfaces

VFR Detection of Fragment Attacks

VFR is responsible for detecting and preventing the following types of fragment attacks:

Tiny fragment attack—In this type of attack, the attacker makes the fragment size small enough to force Layer 4 (TCP and UDP) header fields into the second fragment. Thus, the ACL rules that have been configured for those fields will not match.

VFR drops all tiny fragments, and an alert message such as "VFR-3-TINY_FRAGMENTS" is logged to the syslog server.

Overlapping fragment attack—In this type of attack, the attacker can overwrite the fragment offset in the noninitial IP fragment packets. When the firewall reassembles the IP fragments, it might create wrong IP packets, causing the memory to overflow or the system to reload.

VFR drops all fragments within a fragment chain if an overlap fragment is detected.

Buffer overflow attack—In this type of denial-of-service (DoS) attack, the attacker can continuously send a large number of incomplete IP fragments, causing the firewall to lose time and memory while trying to reassemble the fake packets.

To avoid buffer overflow and control memory use, configure a maximum threshold for the number of IP datagrams that are being reassembled and the number of fragments per datagram. You can use the ip virtual-reassembly command or the ip virtual-reassembly-out command to specify these parameters.

When the maximum number of datagrams that can be reassembled at any given time is reached, all subsequent fragments are dropped, and the global statistics item "ReassDrop" is incremented by one.

When the maximum number of fragments per datagram is reached, subsequent fragments are dropped, and the global statistics item "ReassTooManyFrags" is incremented by one. .

In addition to the maximum threshold values being configured, each IP datagram is associated with a managed timer. If the IP datagram does not receive all of the fragments within the specified time, the timer expires and the IP datagram and all of its fragments are dropped.

VFR Enablement

VFR is designed to work with any feature that requires fragment reassembly (such as Cisco IOS Firewall and NAT). By default, NAT enables and disables VFR internally; that is, when NAT is enabled on an interface, VFR is automatically enabled on that interface.

If more than one feature attempts to automatically enable VFR on an interface, VFR will maintain a reference count to keep track of the number of features that have enabled VFR. When the reference count is reduced to zero, VFR is automatically disabled.

VFR on Outbound Interfaces

In Cisco IOS Release XE 3.2S and later releases, you can use the ip virtual-reassembly-out command to manually enable or disable VFR on outbound interface traffic.

How to Configure Virtual Fragmentation Reassembly

Configuring VFR (optional)

Enabling VFR Manually on Outbound Interface Traffic (optional)

Configuring VFR

Perform this task to enable VFR on an interface, specify maximum threshold values to combat buffer overflow and control memory usage, and verify any VFR configurations.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip virtual-reassembly [max-reassemblies number] [max-fragments number] [timeout seconds] [drop-fragments]

5. exit

6. exit

7. show ip virtual-reassembly [interface type]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface GigabitEthernet0/0/1

Configures an interface type and enters interface configuration mode.

Step 4 

ip virtual-reassembly [max-reassemblies number] [max-fragments number] [timeout seconds] [drop-fragments]

Example:

Router(config-if)# ip virtual-reassembly max-reassemblies 64 max-fragments 16 timeout 5

Enables VFR on the interface and specifies the maximum threshold values.

Step 5 

exit

Example:

Router(config-if)# exit

Exits interface configuration mode.

Step 6 

exit

Example:

Router(config)# exit

Exits global configuration mode.

Step 7 

show ip virtual-reassembly [interface type]

Example:

Router# show ip virtual-reassembly GigabitEthernet0/0/1

Displays the configuration and statistical information of the VFR.

If an interface is not specified, VFR information is shown for all configured interfaces.

Enabling VFR Manually on Outbound Interface Traffic

Perform this task to enable VFR manually on outbound interface traffic. You can use this procedure to reenable VFR on outbound interface traffic if it is disabled, for example, by the no ip virtual-reassembly command.


Note If VFR is enabled on both inbound and outbound interface traffic, you can use the no ip virtual-reassembly-out command to disable it on only the outbound interface traffic.


SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip virtual-reassembly-out [max-reassemblies number] [max-fragments number] [timeout seconds] [drop-fragments]

5. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface GigabitEthernet0/0/1

Configures an interface type and enters interface configuration mode.

Step 4 

ip virtual-reassembly [max-reassemblies number] [max-fragments number] [timeout seconds] [drop-fragments]

Example:

Router(config-if)# ip virtual-reassembly max-reassemblies 64 max-fragments 16 timeout 5

Enables VFR on the interface and specifies the maximum threshold values.

Step 5 

exit

Example:

Router(config-if)# exit

Exits interface configuration mode.

Troubleshooting Tips

To display debugging messages related to the VFR subsystem, use the debug ip virtual-reassembly command.

Configuration Examples for Fragmentation Reassembly

Example: Configuring VFR on Outbound Interface Traffic

Example: Configuring VFR on Outbound Interface Traffic

The following example shows how to manually enable VFR on outbound traffic on interfaces GigabitEthernet0/0/1, GigabitEthernet0/0/0.773, and Serial 3/0:


interface Loopback 0 
ip address 10.0.1.1 255.255.255.255
!
interface GigabitEthernet0/0/1
description LAN1 
ip address 10.4.0.2 255.255.255.0 
ip virtual-reassembly-out 
!
interface GigabitEthernet0/0/0.773
encapsulation dot1Q 773
description LAN2 
ip address 10.15.0.2 255.255.255.0 
ip virtual-reassembly-out 
!
interface Serial 3/0 
description Internet 
ip unnumbered Loopback0 
encapsulation ppp 
ip virtual-reassembly-out 
serial restart-delay 0

Additional References

Related Documents


Standards

Standards
Title

None


MIBs

MIB
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

RFC 791

Internet Protocol

RFC 1858

Security Considerations for IP Fragment Filtering


Technical Assistance

Description
Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html


Feature Information for Virtual Fragmentation Reassembly

Table 1 lists the release history for this feature.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.


Table 1 Feature Information for Virtual Fragmentation Reassembly 

Feature Name
Releases
Feature Information

Virtual Fragmenatation Reassembly

Cisco IOS XE
Release 3.2S

VFR enables the Cisco IOS Firewall to create the appropriate dynamic ACLs to protect the network from various fragmentation attacks.

In Cisco IOS Release XE 3.2S, functionality to manually configure VFR for outbound or inbound interface traffic was added.

The following commands were introduced or modified: ip virtual-reassembly-out, show ip virtual-reassembly.