IP Fragment Handling by ACLs
IP fragments pose a special challenge to ACL processing on routers. IP fragments contain limited information, making it difficult for ACLs to process them properly. In addition, they can be used to stage certain types of attacks. This section looks at how Cisco's implementation of ACLs deals with IP fragmentation-based issues.
Filtering IP Fragments
Noninitial fragments do not contain Layer 4 and above information. For most legitimate packets, this information is contained in the packet's initial fragment (fragment offset [FO] = 0 for the initial fragment). Therefore, it is impossible for access lists set up to do filtering on Layer 4 information, such as TCP port numbers, to figure out whether a fragment that contains ...