IP Reassembly
This section describes the reassembly functionality:
-
In the non-CUPS architecture, fragments are buffered up to 64K bytes with the default Firewall configuration. All buffered and subsequent fragments are dropped beyond 64K bytes. In UPF, it is possible to reassemble the packet size to 9K bytes in a maximum of six fragments.
-
The firewall ip-reassembly-failure CLI configures teardrop attack, nested fragmentation, and general ip-reassembly-failure. The maximum IP packet size is limited to six fragments (~9000 bytes).
-
The following counters in firewall statistics get incremented for all attacks related to reassembly:
-
Downlink Packets Dropped due to IPv4 Reassembly Failure
-
Uplink Packets Dropped due to IPv4 Reassembly Failure
-
Downlink Dropped Bytes on IPv4 Reassembly Failure
-
Uplink Dropped Bytes on IPv4 Reassembly Failure
-
Downlink Packets Dropped due to IPv6 Reassembly Failure
-
Uplink Packets Dropped due to IPv6 Reassembly Failure
-
Downlink Dropped Bytes on IPv6 Reassembly Failure
-
Uplink Dropped Bytes on IPv6 Reassembly Failure
-