IP Fragmentation: Breaking Down Large Packets

IP fragmentation is the process of dividing IP packets into smaller fragments when they exceed the Maximum Transmission Unit (MTU) of a network link. Understanding fragmentation is essential for network troubleshooting, performance optimization, and security. This comprehensive guide explains IP fragmentation, its causes, impacts, and how to avoid it.

What is IP Fragmentation?

IP fragmentation occurs when a packet is too large to be transmitted over a network link and must be broken into smaller pieces (fragments) that fit within the link's MTU.

Basic Concept

Maximum Transmission Unit (MTU):

Definition: Largest packet size a link can transmit
Common values:
- Ethernet: 1500 bytes
- PPPoE: 1492 bytes
- VPN: Varies (typically 1400-1450)
- Jumbo frames: 9000 bytes

When fragmentation occurs:

Packet size: 2000 bytes
Link MTU: 1500 bytes
Result: Packet too large
Action: Fragment into smaller pieces

Fragmentation process:

Original packet (2000 bytes)
    ↓
Fragment 1 (1500 bytes) + Fragment 2 (500 bytes)
    ↓
Transmitted separately
    ↓
Reassembled at destination

IPv4 Fragmentation

How IPv4 Fragmentation Works

Fragmentation fields in IPv4 header:

Identification (16 bits): Unique ID for packet
Flags (3 bits):
  - Bit 0: Reserved (must be 0)
  - Bit 1: Don't Fragment (DF)
  - Bit 2: More Fragments (MF)

Learn more about IPv4 and ICMP. Fragment Offset (13 bits): Position in original packet


**Fragmentation example:**

Original packet: - Total length: 2000 bytes - IP header: 20 bytes - Data: 1980 bytes - Identification: 12345 - DF: 0 (fragmentation allowed)

MTU: 1500 bytes

Fragment 1: - Total length: 1500 bytes - IP header: 20 bytes - Data: 1480 bytes - Identification: 12345 - MF: 1 (more fragments follow) - Fragment offset: 0

Fragment 2: - Total length: 520 bytes - IP header: 20 bytes - Data: 500 bytes - Identification: 12345 - MF: 0 (last fragment) - Fragment offset: 1480 (in 8-byte units: 185)


**Fragment offset calculation:**

Offset in bytes / 8 = Fragment offset value Example: 1480 / 8 = 185

Why 8-byte units? - 13 bits for offset - Maximum offset: 8191 × 8 = 65,528 bytes - Matches maximum IP packet size (65,535 bytes)


### Don't Fragment (DF) Flag

**Purpose:**

Prevent fragmentation Used for Path MTU Discovery Security (prevent fragmentation attacks) Performance optimization


**When DF is set:**

Packet too large + DF set ↓ Router cannot fragment ↓ Router drops packet ↓ Router sends ICMP "Fragmentation Needed" (Type 3, Code 4) ↓ Source reduces packet size


**ICMP message:**

Type: 3 (Destination Unreachable) Code: 4 (Fragmentation needed but DF set) Next-hop MTU: Included in message Source: Adjusts packet size


### Reassembly

**Reassembly process:**

Destination receives fragments
Identifies fragments by:
Source IP
Destination IP
Protocol
Identification field
Buffers fragments
Waits for all fragments (MF=0)
Reassembles in order (fragment offset)
Delivers complete packet


**Reassembly timeout:**

Default: 60 seconds If timeout: Discard all fragments Result: Packet lost Retransmission: Required


**Reassembly issues:**

Out-of-order arrival: Buffering required Missing fragment: All fragments discarded Timeout: Packet loss Memory: Buffer exhaustion possible


## IPv6 Fragmentation

### Key Differences from IPv4

**Fragmentation location:**

IPv4: Routers can fragment IPv6: Only source can fragment Routers: Never fragment in IPv6


**Why this change:**

Performance: Fragmentation is expensive Simplicity: Routers don't need to fragment Reliability: Source controls fragmentation Path MTU Discovery: Encouraged


**IPv6 minimum MTU:**

Requirement: 1280 bytes All links: Must support at least 1280 bytes Fragmentation: Only if packet > path MTU


### IPv6 Fragment Header

**Extension header:**

Next Header (8 bits): Protocol of fragmented packet Reserved (8 bits): Must be 0 Fragment Offset (13 bits): Position in original packet Res (2 bits): Reserved M flag (1 bit): More fragments Identification (32 bits): Unique fragment ID


**Fragmentation example:**

Original packet: 3000 bytes Path MTU: 1500 bytes

Fragment 1: - IPv6 header: 40 bytes - Fragment header: 8 bytes - Data: 1452 bytes - M flag: 1 - Offset: 0

Fragment 2: - IPv6 header: 40 bytes - Fragment header: 8 bytes - Data: 1452 bytes - M flag: 1 - Offset: 1452

Fragment 3: - IPv6 header: 40 bytes - Fragment header: 8 bytes - Data: 96 bytes - M flag: 0 - Offset: 2904


### Path MTU Discovery (PMTUD)

**IPv6 approach:**

Source sends packet (assumes 1500 MTU)
If too large, router drops packet
Router sends ICMPv6 "Packet Too Big"
Source reduces packet size
Source fragments if needed
Repeat until successful


**ICMPv6 Packet Too Big:**

Type: 2 Code: 0 MTU: Next-hop MTU included Action: Source adjusts packet size


## Problems with Fragmentation

### Performance Impact

**Processing overhead:**

Fragmentation: CPU intensive Reassembly: Memory and CPU intensive Routers: Slower processing Throughput: Reduced


**Packet loss amplification:**

One fragment lost → Entire packet lost Example: - 3 fragments - 1 fragment lost (33% loss) - Result: 100% packet loss (all fragments discarded)


**Latency increase:**

Buffering: Wait for all fragments Out-of-order: Additional delay Timeout: Retransmission delay


### Security Issues

**Firewall evasion:**

First fragment: Contains port numbers Subsequent fragments: No port info Firewall: May not inspect properly Attack: Bypass firewall rules


**Fragment overlap attacks:**

Overlapping fragments Malicious data in overlaps Reassembly: Undefined behavior Exploit: Security vulnerabilities


**Resource exhaustion:**

Flood: Send many fragments Never complete: Missing last fragment Memory: Exhausted by buffering DoS: Denial of service


**Tiny fragments:**

Very small fragments Many fragments per packet Processing: Overwhelms system Attack: Resource exhaustion


### NAT and Fragmentation

**Problems:**

NAT: Needs to see port numbers Fragments: Ports only in first fragment Subsequent: Cannot determine connection Result: Dropped fragments


**NAT behavior:**

First fragment: NAT translates, forwards Subsequent: NAT may not recognize Result: Packet reassembly fails Connection: Broken


## Avoiding Fragmentation

### Path MTU Discovery (PMTUD)

**IPv4 PMTUD:**

Set DF flag
Send packet
If ICMP "Frag Needed" received
Reduce packet size
Retry
Cache MTU for destination


**Implementation:**

Most modern OS: Enabled by default TCP: MSS negotiation Applications: Should respect PMTUD


**PMTUD issues:**

ICMP blocking: Firewalls may block ICMP Black hole: No ICMP response Timeout: Connection hangs Workaround: Reduce MTU manually


### TCP Maximum Segment Size (MSS)

**MSS negotiation:**

TCP handshake: MSS option Client: Advertises MSS Server: Advertises MSS Both: Use minimum MSS Result: Packets fit in MTU


**MSS calculation:**

MSS = MTU - IP header - TCP header Example (IPv4): MTU: 1500 bytes IP header: 20 bytes TCP header: 20 bytes MSS: 1460 bytes


**MSS clamping:**

Router/firewall: Modifies MSS in SYN packets Reduces: MSS to match MTU Prevents: Fragmentation Common: PPPoE, VPN


**Configuration (iptables):**
```bash
# Clamp MSS to PMTU
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Or specific value
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400

Application-Level Solutions

Chunking:

Application: Sends data in chunks
Chunk size: Smaller than MTU
Network: No fragmentation needed
Examples: HTTP chunked encoding

Protocol design:

DNS: Truncate flag (switch to TCP)
QUIC: Built-in MTU discovery
Modern protocols: Avoid fragmentation

Network Configuration

Increase MTU:

Jumbo frames: 9000 bytes
Requirement: All devices support
Use case: Data center, storage
Benefit: Fewer packets, better performance

Consistent MTU:

All links: Same MTU
Avoid: MTU mismatches
Configuration: Verify end-to-end

Reduce MTU:

VPN: Lower MTU (1400-1450)
PPPoE: 1492 bytes
Conservative: Avoid fragmentation

Troubleshooting Fragmentation

Detecting Fragmentation

tcpdump:

# Capture fragmented packets
tcpdump -n 'ip[6:2] & 0x1fff != 0'

# Explanation:
# ip[6:2]: Fragment offset and flags
# 0x1fff: Mask for fragment offset and MF flag
# != 0: Any fragmentation

Wireshark:

Filter: ip.flags.mf == 1 || ip.frag_offset > 0
Display: All fragments
Analysis: Fragment reassembly

netstat/ss:

# IPv4 fragmentation statistics
netstat -s | grep -i frag

# Or
cat /proc/net/snmp | grep Frag

Common Issues

PMTUD black hole:

Symptoms:
- Connection hangs
- Large transfers fail
- Small transfers work

Cause:
- ICMP blocked
- No "Frag Needed" message

Solution:
- Reduce MTU manually
- Allow ICMP
- Use MSS clamping

VPN fragmentation:

Problem:
- VPN overhead reduces MTU
- Packets too large
- Fragmentation occurs

Solution:
- Reduce VPN MTU
- MSS clamping
- Adjust client MTU

PPPoE issues:

MTU: 1492 (not 1500)
Overhead: 8 bytes
Fragmentation: If MTU not adjusted

Solution:
- Set MTU to 1492
- MSS clamping to 1452
- Configure router

Testing MTU

Ping with DF flag:

# Linux
ping -M do -s 1472 example.com

# Windows
ping -f -l 1472 example.com

# macOS
ping -D -s 1472 example.com

# Explanation:
# -M do / -f / -D: Don't fragment
# -s / -l: Packet size (data only)
# 1472: 1500 MTU - 20 IP - 8 ICMP = 1472

Find maximum MTU:

# Start with 1500, decrease until success
ping -M do -s 1472 example.com  # 1500 MTU
ping -M do -s 1464 example.com  # 1492 MTU (PPPoE)
ping -M do -s 1422 example.com  # 1450 MTU (VPN)

# Successful size + 28 = MTU

tracepath:

# Discover path MTU
tracepath example.com

# Shows MTU at each hop
# Identifies MTU bottleneck

Best Practices

Network Design

1. Consistent MTU:

All links: Same MTU
Avoid: Mismatches
Document: MTU values
Test: End-to-end

2. Enable PMTUD:

Allow: ICMP messages
Firewall: Don't block ICMP type 3 code 4
Monitor: PMTUD failures

3. MSS clamping:

VPN: Clamp MSS
PPPoE: Clamp MSS
Reduce: Fragmentation

Application Development

1. Respect MTU:

Use: TCP (automatic MSS)
Avoid: Large UDP packets
Test: Various MTUs
Handle: Fragmentation gracefully

2. Implement chunking:

Large data: Send in chunks
Chunk size: < MTU
Reassemble: At application layer

3. Error handling:

Detect: PMTUD failures
Retry: With smaller packets
Fallback: Reduce size

Security

1. Fragment filtering:

Firewall: Inspect all fragments
Drop: Suspicious fragments
Reassemble: Before inspection

2. Rate limiting:

Limit: Fragment rate
Prevent: Fragment floods
Monitor: Fragment patterns

3. Disable fragmentation:

Where possible: Set DF flag
Force: PMTUD
Avoid: Fragmentation attacks

IPv4 vs IPv6 Fragmentation

Comparison:

IPv4:
- Routers can fragment
- DF flag optional
- 16-bit identification
- Fragmentation common

IPv6:
- Only source fragments
- Routers never fragment
- 32-bit identification
- Fragmentation discouraged
- Minimum MTU: 1280 bytes

Recommendations:

IPv4: Use DF flag, enable PMTUD
IPv6: Rely on PMTUD, avoid fragmentation
Both: MSS clamping, consistent MTU

Conclusion

IP fragmentation is a necessary mechanism for handling packets larger than the network MTU, but it introduces performance, security, and reliability issues. Modern networks should avoid fragmentation through Path MTU Discovery, MSS negotiation, and proper MTU configuration. IPv6's approach of preventing router fragmentation encourages better practices and more efficient networks.

Network Performance

MTU - Maximum transmission unit
Routing - Packet routing
ICMP - PMTUD uses ICMP
Network Troubleshooting - Performance issues

IPv4 vs IPv6

IPv6 vs IPv4 - Fragmentation differences
What is an IPv6 Address? - IPv6 fundamentals
What is an IPv4 Address? - IPv4 fundamentals

Advanced Topics

TCP/IP Model - Protocol stack
VPN Basics - VPN MTU issues

Explore More

Networking Basics - Essential concepts

Key takeaways: - Fragmentation: Splits large packets into smaller pieces - IPv4: Routers can fragment - IPv6: Only source fragments - MTU: Maximum packet size per link - DF flag: Prevents fragmentation (IPv4) - PMTUD: Discovers path MTU - MSS: TCP negotiates segment size - Problems: Performance, security, reliability - Avoid: Through proper MTU configuration - Best practice: Enable PMTUD, use MSS clamping - Security: Fragment filtering, rate limiting - IPv6: Minimum 1280 bytes MTU

Bottom line: Fragmentation should be avoided whenever possible through proper MTU configuration, Path MTU Discovery, and TCP MSS negotiation. Understanding fragmentation is essential for troubleshooting connectivity issues, optimizing performance, and maintaining network security. Modern networks and applications should be designed to minimize or eliminate fragmentation.