[165238] in North American Network Operators' Group
Re: IP Fragmentation - Not reliable over the Internet?
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Tue Aug 27 10:04:58 2013
From: Leo Bicknell <bicknell@ufp.org>
In-Reply-To: <20130827112436.GA29165@pob.ytti.fi>
Date: Tue, 27 Aug 2013 09:04:06 -0500
To: Saku Ytti <saku@ytti.fi>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_72F7FA92-A224-45F6-BD8D-3B9D2A195410
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On Aug 27, 2013, at 6:24 AM, Saku Ytti <saku@ytti.fi> wrote:
> On (2013-08-27 10:45 +0200), Emile Aben wrote:
>=20
>>> 224 vantage points, 10 failed.
>>=20
>> 48 byte ping: 42 out of 3406 vantage points fail (1.0%)
>> 1473 byte ping: 180 out of 3540 vantage points fail (5.1%)
>=20
> Nice, it's starting to almost sound like data rather than anecdote, =
both
> tests implicate 4<5% having fragmentation issues.
>=20
> Much larger number than I intuitively had in mind.
I'm pretty sure the failure rate is higher, and here's why.
The #1 cause of fragments being dropped is firewalls. Too many admins =
configuring a firewall do not understand fragments or how to properly =
put them in the rules.
Where do firewalls exist? Typically protecting things with public IP =
space, that is (some) corporate networks and banks of content servers in =
data centers. This also includes on-box firewalls for Internet servers, =
ipfw or iptables on the server is just as likely to be part of the =
problem.
Now, where are RIPE probes? Most RIPE probes are probably either with =
somewhat clueful ISP operators, or at Internet Clueful engineer's =
personal connectivity (home, or perhaps a box in a colo). RIPE probes =
have already significantly self-selected for people who like non-broken =
connectivity. What's more, the ping test was probably to some "known =
good" host(s), rather than a broad selection of Internet hosts, so =
effectively it was only testing the probe end, not both ends.
Basically, I see RIPE probes as an almost best-case scenario for this =
sort of broken behavior.
I bet the ISC Netalyzer folks have somewhat better data, perhaps skewed =
a bit towards broken connections as people run Netalyzer when their =
connection is broken! I suspect reality is somewhere between those two =
book ends.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--Apple-Mail=_72F7FA92-A224-45F6-BD8D-3B9D2A195410
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
iQIVAwUBUhyx2rN3O8aJIdTMAQIUqxAAtyRBo0eIxVI9oskKY+anaZh/ge/JOKag
odJJccrers/EPGGFvLXDc9IaFv/AKhP45yoff3ek4K90nWPu+wjRpobaoh8LE1NJ
Qlz/6T7j5Us98iW1U5/oP+BpQhIGWYdW5o7i0LLwu/ewtOM0K33CvmZIpn8X0qH3
mSuyMrBP401jLJHCs9fr42klxI7A3pdtQomN+behIRRoRQmpPWqw7nVYMmGqxVwi
hEmYMHHKkwvTn5TgdQVQeaZ0gG0fs1xiF2Rj3HqvSUl8AaMaSLjfyQZZg6ui1tFy
isJ++OAlfxHUSfnwILaiAmL/I+ZhG3aq04dQL3/fQ/ujt1rRZC/AGpaKT6/jtDiR
VsK0MDKy4ZBMpwwtEEJtqG3mKFdhVLGV8q+xCnWV8DDN9Fjun8D8V6smSf29M6ft
4FmUVWlpUSBW+oXubs/0SkMGkTPAH8YikiNCS0bdWWvWCijGSmRVjRR6GJVga31R
BLidKQ14a8h2ZMKPF5sGtZnlFoVggkME+4VkyqbGDtvxCHYFDmMN9vJu+Hd9DU2l
VNaQ5HFN4NgtMRhfvxC+ruWlodnYJgqWZzLOIxy1qjo4GcpQVUidnd19E1rkYUTU
GtX3kTW8tmGiPvTSsQNNop3Ged2JxEMGwhNOLTVUJxezykMllMp4qgZ30fi43B2i
xkJmuxQnLvE=
=It0M
-----END PGP SIGNATURE-----
--Apple-Mail=_72F7FA92-A224-45F6-BD8D-3B9D2A195410--
