All ALGs vulnerable?

[Mushoz]

There is very little information to find about this, but I was wondering whether this is a design implementation on the R7000 router that was exploited, or whether this affects all ALGs per definition? Surely the TCP case could easily be avoided if the router would take fragmentation into account by looking at the fragment offset field in the packet? I am unsure about the UDP case though...

[samyk]

UDP uses fragmentation so looking at fragmentation would work there. For TCP, segmentation needs to be looked at. Realistically to prevent this, ALG should be disabled. The NAT Pinning PoC (10 years ago) demonstrated that ALGs can be triggered without any fancy packet boundary control as many ALGs are CRLF-based and simply parse line by line, not by packet boundaries.

Ideally ALGs become disabled by default and browsers restrict ALG-specific ports for all outbound socket features they support other than necessary (for example, allow SIP via WebRTC, but not HTTP, HTTPS, FTP, STUN, TURN, TURNS, etc)

[lal12]

Am I wrong or wouldn't ignoring TCP packets with a fragmentation flag in the IP header be an easy fix for most ALGs?

[samyk]

Checking for TCP segmentation or IP fragmentation would solve SIP but not other ALGs, eg https://github.com/samyk/linux/blob/29b0b5d56589d66bd5793f1e09211ce7d7d3cd36/net/netfilter/nf_conntrack_irc.c