Ask Your Question
0

Fragmentation flags in IP Header

asked 2017-11-22 16:53:14 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hey! I have been observing ip-ethereal-trace-1 in which I noticed an unusual thing.

When we have a packet that is greater than 1514 bytes, it gets fragmented. So when it is fragmented, Flag of More fragments is set. When it doesn't need to be fragmented, Flag of Don't fragment is set. But in packet 378 and 379, I have noticed that both the flags (Don't fragment and More fragments) are set. Can anyone help me for that? Why is this happening?

The file ip-ethereal-trace-1 is available on the internet.

http://gaia.cs.umass.edu/wireshark-la...

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2017-11-22 21:55:11 +0000

Christian_R gravatar image

First of all it looks like a traceroute with ICMP packets. And the ICMP packets are all to long. Indeed the combination (Do not Fragment and More Fragments) is an unallowed combination.

I would call it a misbehaviour of that stack, which has the packet fragmented.

https://crnetpackets.com/2015/08/29/a...

edit flag offensive delete link more

Comments

You don't know if there are any intermediate nodes in that path that don't want to handle fragmented IP fragments. So that combination of flags could very well be correct.

Jaap gravatar imageJaap ( 2017-11-23 07:19:56 +0000 )edit

But let´s assume the following:

  • Packets gets started without DNF Bit set
  • Packet gets fragmented (Most likely by the sender itsself)
  • Some device is setting the DNF Bit - which is most likely not an L4 device, otherwise we won´t be able to see the fragments here.
    • This is first of all not necessary, as a already fragmented packet is not allowed to be fragmented again.
    • If the DNF bit would be set in the middle of the way (for a non fragmented packet), the packet will be dropped, if it is to big. And a ICMP Message will be generated for the originally sender.
    • But the sender is not able to interpret this message correctly. As if it is a Windows host we are allowed to assume, that PMTUD is disabled, otherwise the DNF would have been set.

So I stay on my opinion, setting the DNF bit ...(more)

Christian_R gravatar imageChristian_R ( 2017-11-23 08:55:54 +0000 )edit

Indeed the combination (Do not Fragment and More Fragments) is an unallowed combination.

You may be right, but where is it stated that this is disallowed? Which RFC, for example? I ask because recently I've had a discussion about fragmentation and was wondering about possible improvements to PMTUD. Currently it seems that fragmented packets originating from a host do not have the DNF bit set, but why not? If a smaller PMTU is later encountered, the fragment will be fragmented again and forwarded along, but this is not ideal. I would rather see fragments rejected with an ICMP T3C4 and next-hop MTU returned so that the originating host could learn the true PMTU and perform fragmentation only once, right at the source. Note that per RFC 792, only the first fragment with offset=0 would cause the ICMP T3C4 to be sent; all other fragments would simply be dropped ...(more)

cmaynard gravatar imagecmaynard ( 2017-11-27 14:41:20 +0000 )edit

@cmaynard Ok. I think I have misinterpreted the RFC 6864 Chapter 4:

Non-atomic datagrams are datagrams either that already have been
      fragmented or for which fragmentation remains possible.

So I think now fragmentation of fragmented packet can happen.

The rest I will discuss later....

Christian_R gravatar imageChristian_R ( 2017-11-27 16:55:30 +0000 )edit

@cmaynard: As I have written before agree now, too, that further fragmentation is allowed,

So I agree that setting the DNF Bit on an already fragmented packet is not explicit forbidden. But it still makes no sense under normal conditions.

Because the ICMP T3C4 is routed to the original sender and I am not sure if he can handle this message, if PMTUD is not enabled on his site. So there 3 behaviours how he can react from my point of view:

  1. In the best case the original sender (he) will understand it, and sends the right segment size
  2. He will send a 576 Byte large packet (Min Transmission Unit Size)
  3. He will ignore it and packets gets still dropped.

So maybe it is some kind of intelligent NAT device in that path, which sends those packets? Or it is just an educational example of the year 2004. ???

Hope I ...(more)

Christian_R gravatar imageChristian_R ( 2017-11-30 14:47:04 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2017-11-22 16:53:14 +0000

Seen: 11,548 times

Last updated: Nov 23 '17

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2