IP Fragmentation - Not reliable over the Internet?

Dave Brockman dave at dvstn.com
Tue Aug 27 17:25:18 UTC 2013

On 8/27/2013 10:04 AM, Leo Bicknell wrote:
> On Aug 27, 2013, at 6:24 AM, Saku Ytti <saku at ytti.fi> wrote:
>> On (2013-08-27 10:45 +0200), Emile Aben wrote:
>>>> 224 vantage points, 10 failed.
>>> 48 byte ping:    42 out of 3406 vantage points fail (1.0%)
>>> 1473 byte ping: 180 out of 3540 vantage points fail (5.1%)
>> Nice, it's starting to almost sound like data rather than
>> anecdote, both tests implicate 4<5% having fragmentation issues.
>> Much larger number than I intuitively had in mind.
> I'm pretty sure the failure rate is higher, and here's why.
> The #1 cause of fragments being dropped is firewalls.  Too many
> admins configuring a firewall do not understand fragments or how
> to properly put them in the rules.
> Where do firewalls exist?  Typically protecting things with public
> IP space, that is (some) corporate networks and banks of content
> servers in data centers.  This also includes on-box firewalls for
> Internet servers, ipfw or iptables on the server is just as likely
> to be part of the problem.

It's not just firewalls.... border-routers are also apt to have ACLs
like these[1]:

ip access-list extended BORDER-IN
10 deny tcp any any fragments
20 deny udp any any fragments
30 deny icmp any any fragments
40 deny ip any any fragments

I see these a *LOT* on customer routers, before the packets even get
to the firewall....



1. I found it most recently at
http://hurricanelabs.com/blog/cisco-security-routers/ but I know there
are many other "guides" that include these as part of their ACL.

More information about the NANOG mailing list