Mailing List Archive

Given that fragments other than the first do not contain the
UDP port number to identify DNS, I don't think you can do
what you're trying to do.

-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net]On Behalf Of
peter@devries.tv
Sent: Thursday, February 26, 2004 7:30 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] FBF and fragmented UDP packets


Kind of a tough problem here. We're strictly using FBF and static
routes (routing instances) to route packets through a M20 (M40 in
production) the issue that we have is that we need to send fragmented
UDP packets to the same routing instance as their initial packet, but
only fragmented UDP packets that are DNS without catching every other
fragmented UDP packet.

So far we're sending the first DNS UDP packet to the right routing
instance and if we put in

<snip>
from {
protocol UDP;
is-fragment;
}
<snip>

we can get all fragments to go to the routing instance. Obviously not
what we're looking for. So any suggestions out there? We're open to
anything that might do it and we can play with the specifics.

We're currently running JunOS 5.7R3.4.

Thanks,
Peter

What you are trying to do would require a state-aware view of the packet
flows, and a M-router is a stateless device (at least without service PICs).
One way I can think of would be forwarding all fragmented packets to an
external box, reassemble them and send them back to the router.

I'm curious why are you getting DNS UDP fragments; DNS traffic would usually
go TCP for packets that might need fragmentation.


Rubens

----- Original Message -----
From: <peter@devries.tv>
To: <juniper-nsp@puck.nether.net>
Sent: Friday, February 27, 2004 12:29 AM
Subject: [j-nsp] FBF and fragmented UDP packets

Kind of a tough problem here. We're strictly using FBF and static
routes (routing instances) to route packets through a M20 (M40 in
production) the issue that we have is that we need to send fragmented
UDP packets to the same routing instance as their initial packet, but
only fragmented UDP packets that are DNS without catching every other
fragmented UDP packet.

So far we're sending the first DNS UDP packet to the right routing
instance and if we put in

<snip>
from {
protocol UDP;
is-fragment;
}
<snip>

we can get all fragments to go to the routing instance. Obviously not
what we're looking for. So any suggestions out there? We're open to
anything that might do it and we can play with the specifics.

We're currently running JunOS 5.7R3.4.

Thanks,
Peter

* peter@devries.tv (peter@devries.tv) [Fri 27 Feb 2004, 04:30 CET]:
> Kind of a tough problem here. We're strictly using FBF and static
> routes (routing instances) to route packets through a M20 (M40 in
> production) the issue that we have is that we need to send fragmented
> UDP packets to the same routing instance as their initial packet, but
> only fragmented UDP packets that are DNS without catching every other
> fragmented UDP packet.

You're in luck: UDP DNS packets can't get over 512 bytes! (See RFC1035,
section 2.3.4; nameservers fall back to TCP if the answer to a query
exceeds this limit.)

In other words, you're unlikely to see a fragmented UDP packet that's
part of a valid DNS query, unless you have links with an MTU smaller
than 576 bytes in your network.


-- Niels.

--