IP Fragmentation - Not reliable over the Internet?

Owen DeLong owen at delong.com
Tue Aug 27 07:34:57 UTC 2013

On Aug 26, 2013, at 22:02 , Valdis.Kletnieks at vt.edu wrote:

> On Tue, 27 Aug 2013 00:01:45 -0000, Christopher Palmer said:
>> What is the probability that a random path between two Internet hosts will
>> traverse a middlebox that drops or otherwise barfs on fragmented IPv4 packets?
> THe fact you're posting indicates that you already know the practical
> answer: "Often enough that you need to take defensive measures".
> But there's really several separate questions here:
> 1) What is the probability that a given path ends up fragging a packet
> because it isn't MTU 1500 end-to-end?
> 2) What is the probability that a frag needed is detected by a router
> that then botches it?
> 2a) What is the probability that the router does it right but the source node
> shoots itself in the foot by requesting PMTUD, but then blocks inbound ICMP for
> "security reasons"?
> 3) What is the probability that one router correctly frags a packet, but
> a subsequent box (most likely a firewall or target host) botches the
> re-assembly or other handling?
> 4) When confronted with the fact that there's a very high correlation between
> the level of technical clue that results in procuring and deploying a broken
> device, and the level of technical clue clue available to resolve the problem
> when you try to contact them, what's the appropriate beverage?

That's a lot of questions he didn't ask.

As I read it, the question he asked is:

If I send a packet out as a legitimate series of fragments, what is the chance
that they will get dropped somewhere in the middle of the path between the
emitting host and the receiving host?

To my thinking, the answer to that question is basically "pretty close to 0 and
if that changes in the core, very bad things will happen."


More information about the NANOG mailing list