What’s fragmentation

It’s the approach of breaking down data packets into smaller fragments. Thus, they can be transmitted to another network with a maximum transmission unit. (MTU). The incoming fragmented packets are sent across the network and reassembled at the host level. You have two types of fragmentation.

Non Fragmented.

Fragmented.

What is MTU?

Maximun Transmition Unit (MTU). It’s the largest packet a data link can send, including its header—for example, Ethernet, with a size of 1500 bytes. And IEEE 802.11, with a size of 2304 bytes, and so forth.

Changing the MTU is uncommon, but it is required in certain scenarios or deployments.

For Instance, if you are familiar with VMware NSX-T or have previously worked with it, you know that one of its requirements is to provide a larger MTU size for the Geneve overlay traffic.

This is needed because the Geneve traffic must be cohesive. So if you have a size of 1500 bytes configured on your switch port, your NSX-T won’t work as expected because the size needs to be large enough to support extra encapsulation and overhead. In this case, you must configure your switch globally and the switchport to allow jumbo frames with an MTU size of 9000 bytes.

Here is a graphic example:

• A user sends 4000 bytes of data to another workstation.
• The packet is sent to the switch. The switch has a default MTU value of 1500 bytes. The packet is forwarded to the firewall, and the firewall breaks the packets into smaller fragments.
• The smaller fragments are sent to the router below. The router forwards all the fragments to the destined host to reconstruct the original packet.
• Packets are sequenced using the MF and fragment offset.
• The workstation assembles the packet into one large packet with 4000 bytes.
• The user is able to see the data.

Why do network administrators evade fragmentation?

• Fragmentation causes overheads to the routers. That means it consumes lots of resources and slows down networks.
• It causes NAT issues.
• It causes latencies
• It causes packet disorder. Meaning if a packet was delivered out of sequence, the packet needs to be re-ordered and retransmitted. This causes latency.
• Transmissions are way inefficient. For example, if you lose connectivity just for a tenth of s second, a packet gets dropped and needs to be retransmitted and fragmented.
• It is prone to attacks. Lots of firewalls and routers don’t allow malformed/fragmented packets.

Here is an example

if you run this command, ping -l 1400 8.8.8.8. Google DNS will allow the packet to come in because the packet is less than the MTU size of 1500 bytes.

Pinging 8.8.8.8 with 1400 bytes of data
Reply from 8.8.8.8: bytes=68 (sent 1400) time=27ms TTL=57
Reply from 8.8.8.8: bytes=68 (sent 1400) time=19ms TTL=57
Reply from 8.8.8.8: bytes=68 (sent 1400) time=24ms TTL=57
Reply from 8.8.8.8: bytes=68 (sent 1400) time=26ms TTL=57

But, if you run this command ping -l 2000 8.8.8.8. The packet will time out because the data exceeds the maximum transmission unit (MTU), which is 1500 bytes, and Google DNS does not accept fragmented or malformed packets.

Pinging 8.8.8.8 with 2000 bytes of data
Request timed out.
Request timed out.
Request timed out.
Request timed out.


Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),:

But why did it time out, you may ask, right? It is because Google DNS is not accepting malformed or fragmented packets. If you look at my Wireshark capture below, you’ll notice no response from 8.8.8.8.

This is attainable because you can set up your firewall or router to drop malformed or fragmented packets. This is practical to mitigate fragmentation attacks such as DoS.