IP Fragmentation - Not reliable over the Internet?

Owen DeLong owen at delong.com
Fri Aug 30 05:47:44 UTC 2013

On Aug 29, 2013, at 18:15 , Mark Andrews <marka at isc.org> wrote:

> In message <a708ea6a03eb4ca7a14f5b16e4ce8dda at BN1PR03MB171.namprd03.prod.outlook
> .com>, Christopher Palmer writes:
>> This is what I'm concerned about:
>> """
>> 1. If I originate IP packet fragments, such as an 8000 byte NFS packet
>> broken into 1500 byte fragments, what's the probability of some host
>> before the other endpoint dropping one or all of those fragments?
>> """
> For wide area NFS I would be using TCP not UDP.  If you can't use
> TCP you should ensure that the firewalls at both ends pass fragmented
> UDP packet.  NFS is generally not open to the world so fragmentation
> and NFS is essentially a local issue.  Fragments don't get routinely
> dropped in the core.

However, passing fragmented UDP packets has its own (undesirable)
set of security implications.

Of course running NFS over an unencrypted path in the wild is, well,
something with additional (undesirable) set of security implications.
(IOW, this should be happening inside a VPN)

> Ensure that the firealls at both ends pass ICMP/ICMPv6 PTB.  Only
> idiots block all ICMP/ICMPv6.  Yes there are a lot of idiots in the
> world.

+1 This cannot be stressed enough.


More information about the NANOG mailing list