Monday, December 14, 2015

Little bitsy pieces

Fragmenting IPv6

by Craig Miller

A whole made of fragments
In the last post, I spoke of IPv6 Extension Headers (see Stretching IPv6 with extension 
headers), and one of those extension headers was the fragmentation extension header.

It's Different

Fragmentation happens differently from IPv4. Instead of the routers realizing that the packet is too large for the next hop, and fragmenting the packet, only the source host will fragment a packet. If an IPv6 router sees a packet that is too large for the next hop, it will drop the packet, not fragment.

When to Fragment?

How does the source host know what MTU (Maximum Transfer Unit) size to use? By sending a path MTU discovery (PMTUD RFC 4821 ). A probe packet is sent using the link MTU to the destination. If there is a link along the path that where the packet is too big, the router will drop it, and send back and ICMPv6 packet too big message. The source host will then decrease the payload size of the packet.

Most of the time, because of PMTUD, packet size will be scaled back to fit the smallest MTU size of the path, and no fragmentation will be required.

It is for this reason, that packets sent to other hosts on the same link should never be fragmented. Remember the RA Guard vulnerability? When fragmented packets are rejected from hosts on the same link, this vulnerability is eliminated.

Why Fragment?

If PMTUD works so well, when would it make sense to see a fragmented packet? If everything worked right, there would never be fragmentation. However the creators of IPv6 didn't want to assume everything would always work correctly. So they added the ability for the source host to fragment packets when needed.

There are some UDP applications which do not pay attention to PMTUD, and send out packets of their own desired length. When the stack receives such a packet, and through PMTUD it knows that this packet will not successfully cross the path to the destination, the stack on the source host will fragment the packet, and add a fragment extension header. See RFC 2460 section 4.5 for full details the specifics of fragmentation extension header values.


Some key thoughts about IPv6 fragmentation
  • It is almost never required, thanks to PMTUD. 
  • Source hosts do fragmentation, not routers in IPv6. 
  • Be wary of ICMPv6 packets which are fragmented (a method of circumventing RA Guard).

Fragmentation is an option in IPv6, but it is an expensive option (both source and destination have to keep track of fragments used, splitting and reassembling packets). Thanks to PMTUD, it is rarely used. IPv6, and it makes networking simpler.

No comments:

Post a Comment