IP Fragmentation - Not reliable over the Internet?

Fred Baker (fred) fred at cisco.com
Mon Sep 2 06:11:22 UTC 2013

On Aug 27, 2013, at 12:34 AM, Owen DeLong <owen at delong.com> wrote:

> If I send a packet out as a legitimate series of fragments, what is the chance
> that they will get dropped somewhere in the middle of the path between the
> emitting host and the receiving host?
> To my thinking, the answer to that question is basically "pretty close to 0 and
> if that changes in the core, very bad things will happen."

I mostly agree. I will argue that the actual path of an IP datagram is end to end, so the question is not the core, but the end to end path.

That said, with today's congestion control algorithms, TCP does pretty badly with an other-than-negligible loss rate, so end to end, fragmented messages have a negligible probability of being dropped, so the probability of sending a message that is fragmented and having it arrive at the intended destination is a negligibly small probability smaller than then probability of sending an unfragmented message and having it arrive.

The primary argument against that is firewall behavior, in which firewalls are programmed to drop fragments with high probability.

If we had a protocol that sat atop IP and did what fragmentation does that we could expect all non-TCP/SCTP protocols to use, I would have a very different viewpoint. But, playing the ball where it lies, the primary change I would recommend would be to support any firewall rule that permitted dropping the first fragment of a fragmented datagram in which the first fragment did NOT include the entire IP header and the entire subsequent header, and expecting a host to keep a fragment of a datagram no more than some stated number of seconds (I might pick "two") with express permission to drop it more rapidly should the need arise. I would *not* support a rule that simple dropped fragments, or a protocol change that disallowed them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20130902/aa9b0c1a/attachment.sig>

More information about the NANOG mailing list