Re: IP Fragmentation - Not reliable over the Internet?

[Owen DeLong <owen () delong com>]

On Aug 29, 2013, at 18:15 , Mark Andrews <marka () isc org> wrote:

> In message <a708ea6a03eb4ca7a14f5b16e4ce8dda () BN1PR03MB171 namprd03 prod.outlook
> .com>, Christopher Palmer writes:
> > This is what I'm concerned about:
> >
> > """
> > 1. If I originate IP packet fragments, such as an 8000 byte NFS packet
> > broken into 1500 byte fragments, what's the probability of some host
> > before the other endpoint dropping one or all of those fragments?
> > """
>
> For wide area NFS I would be using TCP not UDP.  If you can't use
> TCP you should ensure that the firewalls at both ends pass fragmented
> UDP packet.  NFS is generally not open to the world so fragmentation
> and NFS is essentially a local issue.  Fragments don't get routinely
> dropped in the core.

However, passing fragmented UDP packets has its own (undesirable)
set of security implications.

Of course running NFS over an unencrypted path in the wild is, well,
something with additional (undesirable) set of security implications.
(IOW, this should be happening inside a VPN)

> Ensure that the firealls at both ends pass ICMP/ICMPv6 PTB.  Only
> idiots block all ICMP/ICMPv6.  Yes there are a lot of idiots in the
> world.

+1 This cannot be stressed enough.

Owen