This is a "report" i'v sent to 3com some days ago. >While evaluating the 3com layer3 switch Corebuilder 3500 i'v detected while >reading the "CoreBuilder 3500 Implementation Guide V2.0.0, PN:10011376" that >several examples given in the Packet Filtering Chapter 10 have serious >"security mistakes". >ALL the exemples of packet filtering of IP packets based on UDP/TCP ports >information are wrong, simple because are assumed that the transport header >fallows the basic IP header, witch isn't always true because beetwen the >basic IP header and the transport layer header, a variable amount of IP >options can appear. >We can't simply index to position 24?? of the ethernet frame to get the >transport layer port information, this is only true if there are no options >fallowing the IP header. >Pages that i found given wrong ideas/exemples about this subject: From 198 till 206 >Conclusion: Using this packet filtering syntax it isn't possible to filter >packets based in information that appears in variable positions in the MAC >frames. >3Com is saying that this "Packet Filtering" feature makes thinks that he >don't do. >PS: I'v also reported this to the 3Com local representative. >I'm i wrong ? []---------------------------------------------------------------[] Pedro Ribeiro Online: http://www.isel.pt/~pribeiro/ IRC(PTnet) Nick: PAntMaR e-Mail: Personal: pribeiroat_private Admin: adminat_private []---------------------------------------------------------------[]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:53 PDT