nanog mailing list archives

Re: IP Fragmentation - Not reliable over the Internet?

From: Mark Andrews <marka () isc org>
Date: Fri, 30 Aug 2013 11:15:59 +1000


In message <a708ea6a03eb4ca7a14f5b16e4ce8dda () BN1PR03MB171 namprd03 prod.outlook
.com>, Christopher Palmer writes:

This is what I'm concerned about:

"""
1. If I originate IP packet fragments, such as an 8000 byte NFS packet
broken into 1500 byte fragments, what's the probability of some host
before the other endpoint dropping one or all of those fragments?
"""


For wide area NFS I would be using TCP not UDP.  If you can't use
TCP you should ensure that the firewalls at both ends pass fragmented
UDP packet.  NFS is generally not open to the world so fragmentation
and NFS is essentially a local issue.  Fragments don't get routinely
dropped in the core.

Ensure that the firealls at both ends pass ICMP/ICMPv6 PTB.  Only
idiots block all ICMP/ICMPv6.  Yes there are a lot of idiots in the
world.

Big thanks to everyone who has sent thoughts already, really quite
helpful.

-----Original Message-----
From: wherrin () gmail com [mailto:wherrin () gmail com] On Behalf Of William
Herrin
Sent: Tuesday, August 27, 2013 10:45 AM
To: Christopher Palmer
Cc: North American Network Operators' Group
Subject: Re: IP Fragmentation - Not reliable over the Internet?

On Mon, Aug 26, 2013 at 8:01 PM, Christopher Palmer
<Christopher.Palmer () microsoft com> wrote:

What is the probability that a random path between two Internet hosts
will traverse a middlebox that drops or otherwise barfs on fragmented
IPv4 packets?


Hi Christopher,

I think there might be three rather different questions here:

1. If I originate IP packet fragments, such as an 8000 byte NFS packet
broken into 1500 byte fragments, what's the probability of some host
before the other endpoint dropping one or all of those fragments?

2. If I send an IP packet that's too large for the path and *don't* set
the don't-fragment bit, what' the chance that the router with the
too-small next hop will fail to correctly fragment that packet (or that
the correctly fragmented packet will fall into trap #1 above)?

3. If I send an IP packet that's too large for the path and *do* set the
don't-fragment bit, what's the chance of failing to receive the "packet
too big" message it causes the intermediate router to send?

Are you after the answer to one in particular?

Regards,
Bill Herrin



--
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls
Church, VA 22042-3004


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

Re: IP Fragmentation - Not reliable over the Internet?, (continued)
- - - Re: IP Fragmentation - Not reliable over the Internet? Benno Overeinder (Aug 29)
    - Re: IP Fragmentation - Not reliable over the Internet? Randy Bush (Aug 30)
    - Re: IP Fragmentation - Not reliable over the Internet? Benno Overeinder (Aug 30)
    - Re: IP Fragmentation - Not reliable over the Internet? Emile Aben (Aug 31)
    - Re: IP Fragmentation - Not reliable over the Internet? Randy Bush (Aug 31)
    - Re: IP Fragmentation - Not reliable over the Internet? Randy Bush (Aug 31)
- Re: IP Fragmentation - Not reliable over the Internet? Tony Finch (Aug 27)
  - Re: IP Fragmentation - Not reliable over the Internet? Jaap Akkerhuis (Aug 27)
- Re: IP Fragmentation - Not reliable over the Internet? William Herrin (Aug 27)
  - RE: IP Fragmentation - Not reliable over the Internet? Christopher Palmer (Aug 29)
    - Re: IP Fragmentation - Not reliable over the Internet? Mark Andrews (Aug 29)
    - Re: IP Fragmentation - Not reliable over the Internet? Owen DeLong (Aug 29)
    - Re: IP Fragmentation - Not reliable over the Internet? Masataka Ohta (Aug 29)