On 8/27/2013 10:04 AM, Leo Bicknell wrote:
On Aug 27, 2013, at 6:24 AM, Saku Ytti <saku@ytti.fi> wrote:
On (2013-08-27 10:45 +0200), Emile Aben wrote:
224 vantage points, 10 failed.
48 byte ping: 42 out of 3406 vantage points fail (1.0%) 1473 byte ping: 180 out of 3540 vantage points fail (5.1%)
Nice, it's starting to almost sound like data rather than anecdote, both tests implicate 4<5% having fragmentation issues.
Much larger number than I intuitively had in mind.
I'm pretty sure the failure rate is higher, and here's why.
The #1 cause of fragments being dropped is firewalls. Too many admins configuring a firewall do not understand fragments or how to properly put them in the rules.
Where do firewalls exist? Typically protecting things with public IP space, that is (some) corporate networks and banks of content servers in data centers. This also includes on-box firewalls for Internet servers, ipfw or iptables on the server is just as likely to be part of the problem.
It's not just firewalls.... border-routers are also apt to have ACLs like these[1]: ip access-list extended BORDER-IN 10 deny tcp any any fragments 20 deny udp any any fragments 30 deny icmp any any fragments 40 deny ip any any fragments I see these a *LOT* on customer routers, before the packets even get to the firewall.... Regards, dtb 1. I found it most recently at http://hurricanelabs.com/blog/cisco-security-routers/ but I know there are many other "guides" that include these as part of their ACL.