Practical, Legitimate IP Fragmentation?

Clarke Morledge chmorl at wm.edu
Wed Mar 12 16:58:11 GMT 2003


Are there any of you maintaining a firewall at the campus edge blocking
IP fragments from coming in (or even going out) of your network?  In view
of the security risks associated with fragmentation, is this a good idea?

Theoretically, you should always pass IP fragments due to variances in
Maximum Transfer Units (MTU) along a traffic path.  But practically
speaking, in a world today where Ethernet is almost everywhere, the
chances of running into an MTU different from standard Ethernet is
relatively small.  Granted, there are exceptions, but a consistent MTU
intra-campus and across the Internet seems to hold.

Currently, we do allow IP fragments to pass through our firewall.  
However, the risk associated with allowing fragments to pass through a
campus edge seems high:  most router ACLs are unable to block IP fragments
at the UDP/TCP port level, and damaging payloads can be hidden in
fragments with some relative ease.

Considering the risks, can anyone tell me in terms of "real world"
experience why we should continue to pass fragments?  Cisco, our PIX
firewall vendor, recommends that IP fragments be dropped if at all
possible.  Do you agree?

I do see some IP fragmentation on a regular basis, but I do not know how
legitimate it is.  We see a number of applications, primarily streaming or
other media applications using the Real Time Protocol (RTP), that
habitually use large datagram sizes that have to be broken up in smaller
pieces (IP fragmentation) to get them across our Ethernet networks.

I am having a difficulty in seeing how this practice by RTP applications
is really necessary.  It seems horribly inefficient to fragment this type
of traffic, particularly in a "real time" application.   You drop one
packet, you lose the whole UDP data chunk spread across multiple IP
fragments.   Can anyone tell me why some of these RTP applications work
this way?

I am very tempted to just go ahead and block fragments and wait until
someone screams, but I was wondering if anyone else has had any experience
in this area.

Thanks.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
757-221-1536
chmorl at wm.edu



More information about the unisog mailing list