On 8/27/2013 10:04 AM, Leo Bicknell wrote: > > On Aug 27, 2013, at 6:24 AM, Saku Ytti <s...@ytti.fi> wrote: > >> On (2013-08-27 10:45 +0200), Emile Aben wrote: >> >>>> 224 vantage points, 10 failed. >>> >>> 48 byte ping: 42 out of 3406 vantage points fail (1.0%) >>> 1473 byte ping: 180 out of 3540 vantage points fail (5.1%) >> >> Nice, it's starting to almost sound like data rather than >> anecdote, both tests implicate 4<5% having fragmentation issues. >> >> Much larger number than I intuitively had in mind. > > > I'm pretty sure the failure rate is higher, and here's why. > > The #1 cause of fragments being dropped is firewalls. Too many > admins configuring a firewall do not understand fragments or how > to properly put them in the rules. > > Where do firewalls exist? Typically protecting things with public > IP space, that is (some) corporate networks and banks of content > servers in data centers. This also includes on-box firewalls for > Internet servers, ipfw or iptables on the server is just as likely > to be part of the problem.
It's not just firewalls.... border-routers are also apt to have ACLs like these[1]: ip access-list extended BORDER-IN 10 deny tcp any any fragments 20 deny udp any any fragments 30 deny icmp any any fragments 40 deny ip any any fragments I see these a *LOT* on customer routers, before the packets even get to the firewall.... Regards, dtb 1. I found it most recently at http://hurricanelabs.com/blog/cisco-security-routers/ but I know there are many other "guides" that include these as part of their ACL.