IP Fragmentation - Not reliable over the Internet?

Mark Andrews marka at isc.org
Fri Aug 30 01:15:59 UTC 2013


In message <a708ea6a03eb4ca7a14f5b16e4ce8dda at BN1PR03MB171.namprd03.prod.outlook
.com>, Christopher Palmer writes:
> This is what I'm concerned about:
>
> """
> 1. If I originate IP packet fragments, such as an 8000 byte NFS packet
> broken into 1500 byte fragments, what's the probability of some host
> before the other endpoint dropping one or all of those fragments?
> """

For wide area NFS I would be using TCP not UDP.  If you can't use
TCP you should ensure that the firewalls at both ends pass fragmented
UDP packet.  NFS is generally not open to the world so fragmentation
and NFS is essentially a local issue.  Fragments don't get routinely
dropped in the core.

Ensure that the firealls at both ends pass ICMP/ICMPv6 PTB.  Only
idiots block all ICMP/ICMPv6.  Yes there are a lot of idiots in the
world.

> Big thanks to everyone who has sent thoughts already, really quite
> helpful.
>
> -----Original Message-----
> From: wherrin at gmail.com [mailto:wherrin at gmail.com] On Behalf Of William
> Herrin
> Sent: Tuesday, August 27, 2013 10:45 AM
> To: Christopher Palmer
> Cc: North American Network Operators' Group
> Subject: Re: IP Fragmentation - Not reliable over the Internet?
>
> On Mon, Aug 26, 2013 at 8:01 PM, Christopher Palmer
> <Christopher.Palmer at microsoft.com> wrote:
> > What is the probability that a random path between two Internet hosts
> > will traverse a middlebox that drops or otherwise barfs on fragmented
> > IPv4 packets?
>
> Hi Christopher,
>
> I think there might be three rather different questions here:
>
> 1. If I originate IP packet fragments, such as an 8000 byte NFS packet
> broken into 1500 byte fragments, what's the probability of some host
> before the other endpoint dropping one or all of those fragments?
>
> 2. If I send an IP packet that's too large for the path and *don't* set
> the don't-fragment bit, what' the chance that the router with the
> too-small next hop will fail to correctly fragment that packet (or that
> the correctly fragmented packet will fall into trap #1 above)?
>
> 3. If I send an IP packet that's too large for the path and *do* set the
> don't-fragment bit, what's the chance of failing to receive the "packet
> too big" message it causes the intermediate router to send?
>
> Are you after the answer to one in particular?
>
> Regards,
> Bill Herrin
>
>
>
> --
> William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls
> Church, VA 22042-3004
>

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the NANOG mailing list