IP Fragmentation - Not reliable over the Internet?
bicknell at ufp.org
Tue Aug 27 14:04:06 UTC 2013
On Aug 27, 2013, at 6:24 AM, Saku Ytti <saku at ytti.fi> wrote:
> On (2013-08-27 10:45 +0200), Emile Aben wrote:
>>> 224 vantage points, 10 failed.
>> 48 byte ping: 42 out of 3406 vantage points fail (1.0%)
>> 1473 byte ping: 180 out of 3540 vantage points fail (5.1%)
> Nice, it's starting to almost sound like data rather than anecdote, both
> tests implicate 4<5% having fragmentation issues.
> Much larger number than I intuitively had in mind.
I'm pretty sure the failure rate is higher, and here's why.
The #1 cause of fragments being dropped is firewalls. Too many admins configuring a firewall do not understand fragments or how to properly put them in the rules.
Where do firewalls exist? Typically protecting things with public IP space, that is (some) corporate networks and banks of content servers in data centers. This also includes on-box firewalls for Internet servers, ipfw or iptables on the server is just as likely to be part of the problem.
Now, where are RIPE probes? Most RIPE probes are probably either with somewhat clueful ISP operators, or at Internet Clueful engineer's personal connectivity (home, or perhaps a box in a colo). RIPE probes have already significantly self-selected for people who like non-broken connectivity. What's more, the ping test was probably to some "known good" host(s), rather than a broad selection of Internet hosts, so effectively it was only testing the probe end, not both ends.
Basically, I see RIPE probes as an almost best-case scenario for this sort of broken behavior.
I bet the ISC Netalyzer folks have somewhat better data, perhaps skewed a bit towards broken connections as people run Netalyzer when their connection is broken! I suspect reality is somewhere between those two book ends.
Leo Bicknell - bicknell at ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 793 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the NANOG