ArubaOS and Controllers

Reply
New Contributor
Posts: 1
Registered: ‎03-18-2010

IP fragment buffering, firewall session policy?

Does ArubaOS 3.4.4.2 buffer IPv4 fragments and discard those
that don't form a complete datagram within some reassembly timeout?

I noticed that when my wireless clients sends certain fragmented IPv4 packets
which I would have expected to be forwarded, they are not being forwarded.
(They are not transmitted by the Aruba controller to the wired side of the network,
nor are they transmitted by the AP to other clients of the same AP.)

Specifically, if I craft a lone UDP IPv4 packet in which the IPv4 frag offset
field is non-zero, this packet is not forwarded. (The crafted packet is not part
of a sequence of packets which, if re-assembled, would be a valid IP datagram.)

I have *not* enabled the stateful firewall's global "Deny All IP Fragments"
setting for IPv4 or IPv6.

--

If the answer is that ArubaOS *does* perform this sort of buffering,
then I have a follow-up question:

If all of the fragments needed to form the complete datagram
arrive within the reassembly timeout, are any relevant firewall IP session policies
applied to the complete datagram?

That is, for those firewall IP session policies which deny certain UDP traffic
based on UDP port number, can I expect them to deny not only the first
fragment, but also the latter fragments (even through latter fragments lack
a UDP header), because ArubaOS has buffered the entire datagram so it knows
the UDP header information for the latter fragments?
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: IP fragment buffering, firewall session policy?


Does ArubaOS 3.4.4.2 buffer IPv4 fragments and discard those
that don't form a complete datagram within some reassembly timeout?

I noticed that when my wireless clients sends certain fragmented IPv4 packets
which I would have expected to be forwarded, they are not being forwarded.
(They are not transmitted by the Aruba controller to the wired side of the network,
nor are they transmitted by the AP to other clients of the same AP.)

Specifically, if I craft a lone UDP IPv4 packet in which the IPv4 frag offset
field is non-zero, this packet is not forwarded. (The crafted packet is not part
of a sequence of packets which, if re-assembled, would be a valid IP datagram.)

I have *not* enabled the stateful firewall's global "Deny All IP Fragments"
setting for IPv4 or IPv6.

--

If the answer is that ArubaOS *does* perform this sort of buffering,
then I have a follow-up question:

If all of the fragments needed to form the complete datagram
arrive within the reassembly timeout, are any relevant firewall IP session policies
applied to the complete datagram?

That is, for those firewall IP session policies which deny certain UDP traffic
based on UDP port number, can I expect them to deny not only the first
fragment, but also the latter fragments (even through latter fragments lack
a UDP header), because ArubaOS has buffered the entire datagram so it knows
the UDP header information for the latter fragments?




You are correct about the buffering.
All relevant session policies are applied to the complete datagram.
You are correct.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: