When a host sends data over a network, the size of a packet depends on what the local network can support. The maximum size for the IP datagram (packet) is restricted by the local network’s data link. In networking lingo, we refer to this maximum size as the IP Maximum Transmission Unit (MTU).
The MTU is the largest size packet in bytes that can be transmitted across a network’s data link. The MTU can vary across different networks, typically around 1500 bytes for networks provided over Ethernet. That said, the MTU can vary depending on the type of Ethernet being used.
Packets transmitted from a network that supports one MTU may not be compatible with another network. If, for example, packets need to be sent over the internet or through an encrypted VPN tunnel, the MTU size may be too large resulting in fragmentation and sluggish data transfer.
In other instances, packets may need to be sent over a network with a different Maximum Segment Size (MSS). The MSS is the largest TCP segment size that can be transmitted over a network. When either of these limiting factors is met, IP fragmentation will occur.
What is IP Fragmentation?
IP fragmentation is the process of breaking down packets into smaller chunks, known as fragments, so that they can be transmitted over a network with a smaller maximum transmission unit (MTU) or maximum segment size (MSS) than that of the original packet. When a packet is fragmented, the fragments are transmitted across the network and reassembled at their destination to reconstruct the original packet.
The process of IP fragmentation usually takes place in a router or switch but may also occur on a network interface card (if the card has been configured to perform fragmentation). During the fragmentation process, the original packet is broken into multiple fragments that each contain a copy of the header for the original IP datagram – with minor modifications made to some header fields. These modifications identify the fragment as part of the original packet and permit reassembly when the fragments reach their destination.
Although IP fragmentation is a neat solution to common networking problems, it can result in unwanted side effects and issues. Below, we will take a closer look at how IP fragmentation works and what kind of problems it causes.
What problems can IP fragmentation cause?
IP fragmentation causes significant overheads that routers are not usually designed to cope with. During IP fragmentation, the router (or network switch) must create fragments and then re-assemble those fragments. This causes sluggishness over the network by sapping up the router’s resources.
Another issue with IP fragmentation is that if any fragment is dropped during transmission, the whole process has to start again. The original packet, which is discarded during fragmentation, must be retransmitted, fragmented, and reassembled. This makes the fragmentation process inefficient and resource-heavy. For this reason, network administrators avoid IP fragmentation whenever possible.
IP fragmentation can also cause disordered packet delivery, which results in the need to reorder packets. This is most common when only some packets are fragmented, or if link aggregation or other path-splitting technologies are in use. (IP fragmentation can cause problems when used in conjunction with path-splitting technologies because the fragmentation process can result in packets being transmitted over different paths; causing them to arrive at their destination out of order.)
Out-of-order packet delivery and dropped fragments can cause other common issues. As only the first fragment contains the high-layer headers, fragmentation can cause problems with routing, firewall functionality, and NAT (Network Address Translation) functionality.
Here is a recap of the problems that IP fragmentation can cause:
- Overhead on routers: When a router performs IP fragmentation, it must create and reassemble fragments, which can consume resources and slow down the network.
- Inefficient transmission: If any fragments are dropped during transmission, the original packet must be retransmitted and fragmented again, making the process highly inefficient and resource-intensive.
- Disordered packet delivery: If packets are delivered out of order, they may need to be reordered, which can be time-consuming and require additional resources.
- Routing and firewall issues: Because only the first fragment contains the high-layer headers, fragmentation can cause issues with routing and firewall functionality.
- NAT issues: Fragmentation can cause problems with NAT (Network Address Translation) functionality.
Why do networks use IP fragmentation if it is problematic?
Networks use IP fragmentation as a way to transmit packets that are larger than the maximum transmission unit (MTU) of an intermediate router or switch.
Although IP fragmentation can be problematic due to the overheads it creates and the potential for dropped or out-of-order fragments, it is often needed to allow packets to be transmitted across networks with different MTUs.
However, because of the issues IP fragmentation can cause, it is generally avoided, and alternative solutions are implemented to allow IP datagrams to be transmitted without the need for fragmentation.
How do networks avoid IP fragmentation?
Networks attempt to avoid IP fragmentation in a number of ways. Firstly, maximum segment size (MSS) and Internet Control Message Protocol (ICMP) messages are exchanged between network endpoints. This allows for the negotiation of the maximum frame size that can be transmitted without the need for fragmentation.
Here is an example of the process: When a host attempts to send a packet that is larger than the MTU of an intermediate router, the router will fragment and forward the packet while also sending back an ICMP “message too big” error to the host. This informs the source host that it should use a smaller MTU for subsequent packets.
Network administrators may also try to avoid IP fragmentation by reducing the size of the MTU on a network. Although reducing (rather than increasing) the MTU may seem counterintuitive at first, it is effective by helping to prevent the need for packets to be fragmented as they pass through different routers and switches. This can improve the efficiency and performance of the network.
On the other hand, reducing the MTU too much can have negative consequences, such as reducing the overall capacity of the network and increasing the overhead caused by transmitting smaller packets. As a result, network administrators must perform a balancing act where they consider the trade-offs of adjusting the MTU against the potential for IP fragmentation.
What happens if the IP header says not to perform IP fragmentation?
If a datagram includes a Don’t Fragment flag (DF) but exceeds the MTU for the local network, then the router will drop the packet upon arrival. If this happens, the router will send a message back to the host informing it that the packet was too big to pass forward.
What is an IP fragmentation attack?
An IP fragmentation attack is a type of Denial of Service (DoS) attack that cybercriminals can exploit to shut down a server.
Hackers carry out IP fragmentation attacks by bombarding the target network with IP packets that are purposefully too big. This causes the victimized network to fragment and reassemble those packets, which uses up huge amounts of resources and causes the server to crash.
Below we have included the most common types of IP fragmentation attacks:
- Teardrop attack (TCP fragmentation attack): This attack exploits TCP/IP reassembly mechanisms by manipulating IP fragments causing them to overlap. This results in reassembly problems that cause the server to crash, resulting in a Denial of Service (DoS).
- UDP and ICMP Flood Attack: The attacker floods the server with many oversized UDP or ICMP packets. These overwhelm the server causing it to slow down or crash.
- Ping of Death attack: The attacker sends oversized ICMP echo packets (ping). This overloads the network, resulting in a Denial of Service (DOS). Most modern systems can mitigate it with a firewall.
Can a VPN help to prevent IP fragmentation attacks?
Yes. A VPN server stands between you and the internet. As a result, a VPN can help by absorbing any IP fragmentation attacks meant for your local network.
During an attack, a VPN server should be able to cope. However, if it becomes overwhelmed (leading the VPN server to get very slow) you can simply disconnect from that server and use another one until the attack is over. As a result, VPNs can offer effective protection against DoS attacks, including IP fragmentation attacks.
Can IP fragmentation affect the speed of a VPN?
Although it is fairly rare, it is possible for the encrypted packets sent by a VPN to cause slowness or connectivity issues. This is why some VPNs provide the option to change protocols or to pick a smaller MTU size. This can help resolve any issues as your data passes over the local network or the internet.