[165247] in North American Network Operators' Group
Re: IP Fragmentation - Not reliable over the Internet?
daemon@ATHENA.MIT.EDU (Dave Brockman)
Tue Aug 27 13:25:36 2013
Date: Tue, 27 Aug 2013 13:25:18 -0400
From: Dave Brockman <dave@dvstn.com>
To: nanog@nanog.org
In-Reply-To: <DCBA21B8-BEB5-445D-8E9E-8BD8C2B09627@ufp.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 8/27/2013 10:04 AM, Leo Bicknell wrote:
>
> On Aug 27, 2013, at 6:24 AM, Saku Ytti <saku@ytti.fi> wrote:
>
>> On (2013-08-27 10:45 +0200), Emile Aben wrote:
>>
>>>> 224 vantage points, 10 failed.
>>>
>>> 48 byte ping: 42 out of 3406 vantage points fail (1.0%)
>>> 1473 byte ping: 180 out of 3540 vantage points fail (5.1%)
>>
>> Nice, it's starting to almost sound like data rather than
>> anecdote, both tests implicate 4<5% having fragmentation issues.
>>
>> Much larger number than I intuitively had in mind.
>
>
> I'm pretty sure the failure rate is higher, and here's why.
>
> The #1 cause of fragments being dropped is firewalls. Too many
> admins configuring a firewall do not understand fragments or how
> to properly put them in the rules.
>
> Where do firewalls exist? Typically protecting things with public
> IP space, that is (some) corporate networks and banks of content
> servers in data centers. This also includes on-box firewalls for
> Internet servers, ipfw or iptables on the server is just as likely
> to be part of the problem.
It's not just firewalls.... border-routers are also apt to have ACLs
like these[1]:
ip access-list extended BORDER-IN
10 deny tcp any any fragments
20 deny udp any any fragments
30 deny icmp any any fragments
40 deny ip any any fragments
I see these a *LOT* on customer routers, before the packets even get
to the firewall....
Regards,
dtb
1. I found it most recently at
http://hurricanelabs.com/blog/cisco-security-routers/ but I know there
are many other "guides" that include these as part of their ACL.
