nanog mailing list archives

Re: IP Fragmentation - Not reliable over the Internet?

From: Leo Bicknell <bicknell () ufp org>
Date: Tue, 27 Aug 2013 09:04:06 -0500


On Aug 27, 2013, at 6:24 AM, Saku Ytti <saku () ytti fi> wrote:

On (2013-08-27 10:45 +0200), Emile Aben wrote:

224 vantage points, 10 failed.


48 byte ping:    42 out of 3406 vantage points fail (1.0%)
1473 byte ping: 180 out of 3540 vantage points fail (5.1%)


Nice, it's starting to almost sound like data rather than anecdote, both
tests implicate 4<5% having fragmentation issues.

Much larger number than I intuitively had in mind.



I'm pretty sure the failure rate is higher, and here's why.

The #1 cause of fragments being dropped is firewalls.  Too many admins configuring a firewall do not understand 
fragments or how to properly put them in the rules.

Where do firewalls exist?  Typically protecting things with public IP space, that is (some) corporate networks and 
banks of content servers in data centers.  This also includes on-box firewalls for Internet servers, ipfw or iptables 
on the server is just as likely to be part of the problem.

Now, where are RIPE probes?  Most RIPE probes are probably either with somewhat clueful ISP operators, or at Internet 
Clueful engineer's personal connectivity (home, or perhaps a box in a colo).  RIPE probes have already significantly 
self-selected for people who like non-broken connectivity.  What's more, the ping test was probably to some "known 
good" host(s), rather than a broad selection of Internet hosts, so effectively it was only testing the probe end, not 
both ends.

Basically, I see RIPE probes as an almost best-case scenario for this sort of broken behavior.

I bet the ISC Netalyzer folks have somewhat better data, perhaps skewed a bit towards broken connections as people run 
Netalyzer when their connection is broken!  I suspect reality is somewhere between those two book ends.

-- 
       Leo Bicknell - bicknell () ufp org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Current thread:

Re: IP Fragmentation - Not reliable over the Internet?, (continued)
- - - Re: IP Fragmentation - Not reliable over the Internet? Valdis . Kletnieks (Aug 27)
    - Re: IP Fragmentation - Not reliable over the Internet? Blake Dunlap (Aug 27)
    - Re: IP Fragmentation - Not reliable over the Internet? Owen DeLong (Aug 27)
    - Re: IP Fragmentation - Not reliable over the Internet? Tore Anderson (Aug 27)
    - Re: IP Fragmentation - Not reliable over the Internet? Emile Aben (Aug 28)
    - Re: IP Fragmentation - Not reliable over the Internet? Owen DeLong (Aug 28)
    - Re: IP Fragmentation - Not reliable over the Internet? Emile Aben (Aug 29)
- Re: IP Fragmentation - Not reliable over the Internet? Saku Ytti (Aug 27)
  - Re: IP Fragmentation - Not reliable over the Internet? Emile Aben (Aug 27)
    - Re: IP Fragmentation - Not reliable over the Internet? Saku Ytti (Aug 27)
    - Re: IP Fragmentation - Not reliable over the Internet? Leo Bicknell (Aug 27)
    - Re: IP Fragmentation - Not reliable over the Internet? Dave Brockman (Aug 27)
    - Re: IP Fragmentation - Not reliable over the Internet? Benno Overeinder (Aug 29)
    - Re: IP Fragmentation - Not reliable over the Internet? Randy Bush (Aug 30)
    - Re: IP Fragmentation - Not reliable over the Internet? Benno Overeinder (Aug 30)
    - Re: IP Fragmentation - Not reliable over the Internet? Emile Aben (Aug 31)
    - Re: IP Fragmentation - Not reliable over the Internet? Randy Bush (Aug 31)
    - Re: IP Fragmentation - Not reliable over the Internet? Randy Bush (Aug 31)
- Re: IP Fragmentation - Not reliable over the Internet? Tony Finch (Aug 27)
  - Re: IP Fragmentation - Not reliable over the Internet? Jaap Akkerhuis (Aug 27)
- Re: IP Fragmentation - Not reliable over the Internet? William Herrin (Aug 27)

(Thread continues...)