Fragmentation
IPv4 fragmentation results in a small increase in CPU and memory overhead to fragment an IPv4 datagram. This is true for the sender and for a router in the path between a sender and a receiver.
The creation of fragments involves the creation of fragment headers and copies the original datagram into the fragments.
This is done efficiently because the information needed to create the fragments is immediately available.
Fragmentation causes more overhead for the receiver when reassembling the fragments because the receiver must allocate memory for the arriving fragments and coalesce them back into one datagram after all of the fragments are received.
Reassembly on a host is not considered a problem because the host has the time and memory resources to devote to this task.
Reassembly, however, is inefficient on a router whose primary job is to forward packets as quickly as possible.
A router is not designed to hold on to packets for any length of time.
A router that does the reassembly chooses the largest buffer available (18K), because it has no way to determine the size of the original IPv4 packet until the last fragment is received.
Another fragmentation issue involves how dropped fragments are handled.
If one fragment of an IPv4 datagram is dropped, then the entire original IPv4 datagram must be present and it is also fragmented.
This is seen with Network File System (NFS). NFS has a read and write block size of 8192.
Therefore, a NFS IPv4/UDP datagram is approximately 8500 bytes (which includes NFS, UDP, and IPv4 headers).
A sending station connected to an Ethernet (MTU 1500) has to fragment the 8500-byte datagram into six (6) pieces; Five (5) 1500 byte fragments and one (1) 1100 byte fragment.
If any of the six fragments are dropped because of a congested link, the complete original datagram has to be retransmitted. This results in six more fragments to be created.
If this link drops one in six packets, then the odds are low that any NFS data are transferred over this link, because at least one IPv4 fragment would be dropped from each NFS 8500-byte original IPv4 datagram.
Firewalls that filter or manipulate packets based on Layer 4 (L4) through Layer 7 (L7) information have trouble processing IPv4 fragments correctly.
If the IPv4 fragments are out of order, a firewall blocks the non-initial fragments because they do not carry the information that match the packet filter.
This means that the original IPv4 datagram could not be reassembled by the receiving host.
If the firewall is configured to allow non-initial fragments with insufficient information to properly match the filter, a non-initial fragment attack through the firewall is possible.
Network devices such as Content Switch Engines direct packets based on L4 through L7 information, and if a packet spans multiple fragments, then the device has trouble enforcing its policies.
Layer 2
Layer 2 does not do any fragmentation. It is up to Layer 3 to pass data to Layer 2 in a packet/frame size that will already match Layer 2’s MTU.
IP doesn’t care if the packet size is 1500 bytes of 9999 bytes, it just knows what its underlying Layer 2 protocol can handle. The “Packet Length” field in the IP header is a 16 bit value, which means IP can create a packet as big as 65535 bytes if necessary, but only if the underlying Layer 2 fabric can support it.
Layer 3
IP fragmentation is an Internet Protocol (IP) process that breaks packets into smaller pieces (fragments), so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size.
The MTU is a property of each interface. It is either (hardware) default, configured statically, or by DHCP (option 26).
Layer 4
Layer 4 is in the payload of IP packets. Reducing IP MTU will reduce the max size of payload.
TCP
The Transmission Control Protocol (TCP) Maximum Segment Size (MSS) defines the maximum amount of data that a host accepts in a single TCP/IPv4 datagram. TCP generally uses a MSS that just “fits” in the media’s maximum MTU. However, TCP could use a MSS larger than MTU, and then initial packet would be “fragmented” across multiple packets, but this is IP packet fragmentation. TCP uses MSS to divide transmited application data into smaller segments that will not require further IP fragmentation on the path.
UDP
Cannot discover MTU on the path like TCP, it relly on L3 information.
Path Maximum Transmission Unit Discovery (PMTUD)
PMTUD is only supported by TCP and UDP. Other protocols do not support it. If PMTUD is enabled on a host, all TCP and UDP packets from the host have the DF bit set.
When a host sends a full MSS data packet with the DF bit set, PMTUD reduces the send MSS value for the connection if it receives information that the packet would require fragmentation.
A host records the MTU value for a destination because it creates a host (/32) entry in its routing table with this MTU value.
If a router attempts to forward an IPv4 datagram (with the DF bit set) onto a link that has a lower MTU than the size of the packet, the router drops the packet and returns an Internet Control Message Protocol (ICMP) “Destination Unreachable” message to the IPv4 datagram source with the code that indicates “fragmentation needed and DF set” (type 3, code 4).
When the source station receives the ICMP message, it lowers the send MSS, and when TCP retransmits the segment, it uses the smaller segment size.
Here is an example of an ICMP “fragmentation needed and DF set” message seen on a router after the debug ip icmp command is turned on:
ICMP: dst (10.10.10.10) frag. needed and DF set unreachable sent to 10.1.1.1