I was wondering about fragments in IPv4 and IPv6 source fragments. As you may know, intermediate nodes in IPv6 don't fragment packets so that is a big responsibility taken off them -probably was done to make hardware implementation far far less costly.
Do people get problems with fragments getting handled poorly? With IPv4 intermediate fragmented or source fragment or IPv6 source fragments?
I read an article that said that fragmented IPv4 UDP (say) was not handled well at all in practice in the authors experience but I don't know where that was or how general it is.
I also heard some rumours that some firewalls do not react well to fragments. What is your experience?
They can I presume be too paranoid and just bin everything. I doubt they reassemble fragments, it would be very costly but without doing so I imagine they could get fooled. Perhaps a firewall should do a partial reassembly-like thing where it ensures that it at least gets the entirety of the first n bytes of an L3 SDU (ie L3 payload) so it can do its checks, either by assuming that fragmentation in the wrong place, a strange place, when fragment 1 is far too short, is an attack and so it then bins the whole thing. The alternative would be reassembling/concatenation just enough stuff to get that n bytes together. I am not sure about the need for the latter option though, and it would probably rely on software so could present a DOS attack by eating up CPU time with cases that cannot be dealt with by offload hardware only in a system that has a lot of hardware assist.
Could an application designer just say that fragmentation is not the end of the world? More so in IPv6?
In IPv6, what on earth happens if your path MTU changes on the fly and you are source-fragmenting packets? There is a ‘what is supposed to happen’ and there is a ‘what does happen?’. A real case would be when a failover happens and this causes a change of path, through a reduced MTU.
This is one of the things putting me off going for 3G failover from DSL - MTU reduction on the fly. - was discussed in an earlier thread. I could fix it by reducing MTU all the time, seems a bit harsh. I could just test it, and possibly then ignore the issue of fragmentation.