Virtual Re-Assembly is the process where router collects IP packet fragments for inspection before forwarding them out. This could be required for two purposes:
1) IPS inpection to prevent various type of attacks. Quite often attacks are hidden in fragmented and re-ordered packets to make detection harder.
2) NAT processing. Sometimes, it is required to change the contents of IP packet for proper translation, e.g. rewrite IP addresses in FTP or DNS packets. This is not possible is the whole packet is not present at the time of NAT rewrite. Thus you will normally see VRF enabled when you enable NAT on an interface.
Notice that the fragments are NOT actually assembled in a packet, but rather collected temporarily for inspection and then forwarded along the path. It is also worth noting that could VFR put additional load on router's CPU and memory under heavy fragmented traffic flows. Sometimes you may sacrifice this function if you are sure that most of legitimate traffic is unfragmetend.
Keep in mind that fragmeted traffic is often seen in environment that uses VPN tunnels, which cause the MTU problems.
Reference : http://blog.ine.com/2008/11/05/dealing-with-fragmented-traffic/
2) NAT processing. Sometimes, it is required to change the contents of IP packet for proper translation, e.g. rewrite IP addresses in FTP or DNS packets. This is not possible is the whole packet is not present at the time of NAT rewrite. Thus you will normally see VRF enabled when you enable NAT on an interface.
Reference : http://blog.ine.com/2008/11/05/dealing-with-fragmented-traffic/
No comments:
Post a Comment