Code View:
if {valid path found in routing table} then
if {a match is found} then
if {the action is to permit) then
{router continues to process the packet}
else {the action is to deny} then
{router discards the packet sending an ICMP Unreachable message to the source
address in the packet - assuming this is not disabled}
endif
else {a match is not found} then
{with the default 'implicit deny' statement??”the router discards the packet,
sending an ICMP Unreachable message}
endif
else {valid path not found in routing table, the router drops the packet}
endif
Figure 2-3 shows the logical flowchart for how a packet is processed against an inbound or outbound ACL.
Figure 2-3. Life of a Packet Undergoing the ACL Process
[View full size image]
Packet Flow Rules for Various Packet Types
The packet flowchart shown in Figure 2-4 demonstrates how ACL rules are applied to various packet types such
as nonfragments, initial fragments, and noninitial fragments that are checked against an ACL.
Figure 2-4. ACL Flow for Non-fragments, Initial Fragments, and Non-initial Fragments
[View full size image]
RFC 1858 covers security considerations for IP fragment filtering and highlights two attacks with two defending
mechanisms involving an IP fragment attack.
Pages:
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88