Fragmentation Geoff Huston APNIC Labs. Before Packets… Digitised telephone networks switched time – Each active network transaction was a 56K constant.

Slides:



Advertisements
Similar presentations
1 IP - The Internet Protocol Relates to Lab 2. A module on the Internet Protocol.
Advertisements

CE363 Data Communications & Networking Chapter 7 Network Layer: Internet Protocol.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
IPv4 - The Internet Protocol Version 4
IP datagrams Service paradigm, IP datagrams, routing, encapsulation, fragmentation and reassembly.
Network Layer – IPv4 Dr. Sanjay P. Ahuja, Ph.D.
1 IP - The Internet Protocol Relates to Lab 2. A module on the Internet Protocol.
1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.
CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.
Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 5-1 Internet Protocol (IP): Packet Format, Fragmentation, Options Shivkumar Kalyanaraman Rensselaer.
1 K. Salah Module 5.2: Internet Protocol CO vs. CL protocols IP Features –Fragmentation –Routing IP Datagram Format IPv6.
Network Layer Packet Forwarding IS250 Spring 2010
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Chapter 5 The Network Layer.
1 Computer Networks IP: The Internet Protocol. 2 IP is a connection-less, unreliable network layer protocol IP provides best effort services in the sense.
EEC-484/584 Computer Networks Lecture 10 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
11- IP Network Layer4-1. Network Layer4-2 The Internet Network layer forwarding table Host, router network layer functions: Routing protocols path selection.
Internet Networking Spring 2003
IP-UDP-RTP Computer Networking (In Chap 3, 4, 7) 건국대학교 인터넷미디어공학부 임 창 훈.
A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.
OSI Model Routing Connection-oriented/Connectionless Network Services.
Guide to TCP/IP, Third Edition
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Introduction Slide 1 A Communications Model Source: generates.
Introduction to Networks CS587x Lecture 1 Department of Computer Science Iowa State University.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 IP : Internet Protocol Computer Network System Sirak Kaewjamnong.
Dr. John P. Abraham Professor UTPA
Internet Protocol ECS 152B Ref: slides by J. Kurose and K. Ross.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
1 Debugging Path MTU Discovery Failures - Techniques and Results Internet2 Member Meeting September 21, 2005 Matthew Luckie, Kenjiro Cho, Bill Owens.
William Stallings Data and Computer Communications
CS 4396 Computer Networks Lab
Network Layer4-1 Datagram networks r no call setup at network layer r routers: no state about end-to-end connections m no network-level concept of “connection”
CSC 600 Internetworking with TCP/IP Unit 5: IP, IP Routing, and ICMP (ch. 7, ch. 8, ch. 9, ch. 10) Dr. Cheer-Sun Yang Spring 2001.
ICMPv6 Error Message Types Informational Message Types.
1 12-Jan-16 OSI network layer CCNA Exploration Semester 1 Chapter 5.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.
Building A Network: Cost Effective Resource Sharing
COMPUTER NETWORKS CS610 Lecture-30 Hammad Khalid Khan.
1 COMP 431 Internet Services & Protocols The IP Internet Protocol Jasleen Kaur April 21, 2016.
Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Lecture 13 IP V4 & IP V6. Figure Protocols at network layer.
1 28-Sep-16 S Ward Abingdon and Witney College CCNA Exploration Semester 1 OSI network layer CCNA Exploration Semester 1 Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI network layer CCNA Exploration Semester 1 – Chapter 5.
Large (UDP) Packets in IPv6
Network Layer & IP Protocol.
Chapter 3 TCP and IP Chapter 3 TCP and IP.
IP - The Internet Protocol
IP - The Internet Protocol
Joao Damas, Geoff Labs March 2018
CS 457 – Lecture 10 Internetworking and IP
IP - The Internet Protocol
IPv6: Are we really ready to turn off IPv4?
Dr. John P. Abraham Professor UTPA
IP : Internet Protocol Surasak Sanguanpong
EEC-484/584 Computer Networks
Dr. John P. Abraham Professor UTRGV, EDINBURG, TX
IP - The Internet Protocol
Dr. John P. Abraham Professor UTPA
Net 323 D: Networks Protocols
IP - The Internet Protocol
Network Layer: Control/data plane, addressing, routers
ITIS 6167/8167: Network and Information Security
IP - The Internet Protocol
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

Fragmentation Geoff Huston APNIC Labs

Before Packets… Digitised telephone networks switched time – Each active network transaction was a 56K constant bit rate data stream – Each stream was divided into 8,000 7 bit samples per second – Each 7 bit sample was aggregated with other samples and packed into frames – Each frame was switched at 8K frames per second

Packets are Different Computers do not require constant bit rate They can optimise their data rates to make efficient use of the network They can vary the packet size to match the requirements of the application and the network They do not rely on a network state – each packet contains information in the header to allow it to be passed to the destination

Packet Networks are Different The range of packet sizes supported in a network represents a set of engineering trade-offs – Bit error rate of the underlying media – Desired carriage efficiency – Transmission speed vs packet switching speed

Media Packet Sizes Ethernet 64 – 1,500 octets – These numbers were derived from the original CSMA-CD design FDDI 4,532 octets Frame Relay 46 – 4,470 octets ATM 53 octets BER, Framing, FEC (or not), Jitter, HOL blocking, etc all play a role in the design tradeoffs for media packet sizes

The IEEE Jumbogram Fiasco 1500 octets was fine for 10Mbps – 800 packets per second But at 100Gbps? – 8,000,000 pps So why not allow for larger packets? Yes, but what size? – IEEE found themselves incapable of standardizing which size to pick – So they ended up picking none!

Protocol Design Adopt a fixed packet size approach – Tends to be a lower number (see ATM) – Decreases carriage efficiency and increases packet switching loads Adopt a variable size approach – Maximises applicability – Maximises carriage efficiency – But the protocol needs to cope with packet size mismatch as a packet traverses multiple networks

IPv4 Packet Design FORWARD fragmentation – If a router cannot forward a packet on its next hop due to a packet size mismatch then it is permitted to fragment the packet, preserving the original IP header in each of the fragments

IPv4 Fragmentation Control

IPv4 Fragmentation

IPv4 and the Don’t Fragment bit If Fragmentation is not permitted by the source, then the router discards the packet. The router may send an ICMP to the packet source with an Unreacahble code (Type 3, Code 4) Later implementations added a MTU size to this ICMP message ICMP messages are extensively filtered in the Internet so applications should not count on receiving these messages

Trouble at the Packet Mill Lost frags require a resend of the entire packet – this is far less efficient than repairing a lost packet Fragments represent a security vulnerability as they are easily spoofed Fragments represent a problem to firewalls – without the transport headers it is unclear whether frags should be admitted or denied Packet reassembly consumes resources at the destination

The thinking at the time… Fragmentation was a Bad Idea! Kent, C. and J. Mogul, "Fragmentation Considered Harmful", Proc. SIGCOMM '87 Workshop on Frontiers in Computer Communications Technology, August 1987

IPv6 Packet Design Attempt to repair the problem by effectively jamming the DON’T FRAGMENT bit to ON IPv6 uses BACKWARD signalling – When a packet is too big for the next hop a router should send an ICMP6 TYPE 2 (Packet Too Big) message to the source address and include the MTU of the next hop.

IPv6 Source Fragmentation

What changed? Whats the same? Both protocols may fragment a packet at the source Both protocols support a Packet Too Big signal from the interior of the network to the source Only IPv4 routers may generate fragments on-the-fly

What does “Packet Too Big” mean anyway? errrrr

It’s a Layering Problem Fragmentation was seen as an IP level problem – It was meant to be agnostic with respect to the upper level (transport) protocol But we don’t treat it like that – And we expect different transport protocols to react to fragmentation notification in different ways

What does “Packet Too Big” mean anyway? For TCP it means that the active session referred to in the ICMP payload* should drop its session MSS to match the MTU ** i.e. you should never see IPv6 fragments in TCP! * IPv4: assuming that the payload contains the original IP header ** assuming that the ICMP is genuine

What does “Packet Too Big” mean anyway? For UDP its not clear: – The offending packet has gone away! – Some IP implementations appear to ignore it – Others add a host entry to the local IP Forwarding table that records the MTU

Problems ICMP is readily spoofed – An attacker may send a fragment stream with a maximum fragment offset value causing a potential memory starvation issue on the destination – A attacker may send partially overlapping fragments – An attacker may spoof ICMP PTB messages with very low MTU values – An attacker may spoof a stream of ICMP PTB messages with random IPv6 source addresses

Problems Therefore ICMP is widely filtered – leading to black holes in TCP sessions GET is a small HTTP packet The response can be arbitrarily large, and if there is a path MTU mismatch the response can wedge Get Response

Problems Therefore ICMP is widely filtered – Ambiguity in UDP Is packet loss due to congestion or MTU mismatch? Should I give up, resend or revert to TCP?

Problems Backward signalling is unreliable – In no other part of the IP protocol is it assumed that the source address of an IP packet is reliably reachable by anything other than the addressed destination – Source addresses are not necessarily “real” MPLS IP tunnels SDN

Who should control packet fragmentation? Is fragmentation and reassembly an IP-Layer function or a Application Session function? – i.e. is the DNS use of EDNS0 buffer size options with explicit max MTU signalling under application control a better approach than allowing the IP layer to manage this?

e.g. DNS and EDNS0 The DNS is the most critical user of UDP Developments in security protocol evolution has lead to larger DNS responses DNS took on explicit fragmentation control with EDNS0 – Loss of fragment coherence leads to re-query with lower buffer size, which leads to fallback to TCP – This is controlled by the DNS application, not the network layer

Where now? Option 1 Deprecate Fragmentation? – Bonica had a draft on this for IPv6: draft-bonica-6man-frag-deprecate-02

Where now? Option 2 Walk away from variable size and adopt a single max MTU for IP? – But what is the “single” MTU size? 65535? 9000? 1500? 1280? 512? ???

Where now? Option 3 Keep fragmentation, and try and make ICMP PTB work consistently and reliably across all of the Internet for IPv6 (and IPv4)?

or Option 0 Just do nothing and just hope it all goes away!

Discuss!