Re: IP Fragmentation - Not reliable over the Internet?

[Dave Brockman <dave () dvstn com>]

On 8/27/2013 10:04 AM, Leo Bicknell wrote:
> On Aug 27, 2013, at 6:24 AM, Saku Ytti <saku () ytti fi> wrote:
>
> > On (2013-08-27 10:45 +0200), Emile Aben wrote:
> >
> > > > 224 vantage points, 10 failed.
> > >
> > > 48 byte ping:    42 out of 3406 vantage points fail (1.0%)
> > > 1473 byte ping: 180 out of 3540 vantage points fail (5.1%)
> >
> > Nice, it's starting to almost sound like data rather than
> > anecdote, both tests implicate 4<5% having fragmentation issues.
> >
> > Much larger number than I intuitively had in mind.
>
>
> I'm pretty sure the failure rate is higher, and here's why.
>
> The #1 cause of fragments being dropped is firewalls.  Too many
> admins configuring a firewall do not understand fragments or how
> to properly put them in the rules.
>
> Where do firewalls exist?  Typically protecting things with public
> IP space, that is (some) corporate networks and banks of content
> servers in data centers.  This also includes on-box firewalls for
> Internet servers, ipfw or iptables on the server is just as likely
> to be part of the problem.

It's not just firewalls.... border-routers are also apt to have ACLs
like these[1]:

ip access-list extended BORDER-IN
10 deny tcp any any fragments
20 deny udp any any fragments
30 deny icmp any any fragments
40 deny ip any any fragments

I see these a *LOT* on customer routers, before the packets even get
to the firewall....

Regards,

dtb

1. I found it most recently at
http://hurricanelabs.com/blog/cisco-security-routers/ but I know there
are many other "guides" that include these as part of their ACL.