ICMP_Scanning_43
ICMP Usage in Scanning
43
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
Appendix B: ICMP Fragmentation Needed but the Dont Fragment Bit was
set and the Path MTU Discovery Process 30
When one host needs to send data to another host, the data is transmitted in a series of IP
datagrams. We wish the datagrams be the largest size possible that does not require
fragmentation31 along the path from the source host to the destination host.
Fragmentation by the IP layer raises few problems:
o
If one fragment from a packet is dropped, we need to retransmit the whole
packet.
o
Load on the routers, which needs to do the fragmentation.
o
Some simpler firewalls would block all fragments because they do not contain the
header information for a higher layer protocol needed for filtering.
The Maximum Transfer Unit (MTU) is a link layer restriction on the maximum number of bytes of
data in a single transmission. The smallest MTU of any link on the current path between two
hosts is called the Path MTU.
B.1 The PATH MTU Discovery Process
We use the Dont Fragment Bit Flag in the IP header to dynamically discover the Path MTU of a
given route. The source host assumes that the PMTU of a path is the known MTU of its first hop.
He will send all datagrams with that size, and set the Dont Fragment Bit. If along the path to the
destination host, there is a router that needs to fragment the datagram in order to pass it to the
next hop, an ICMP error message (Type 3 Code 4 Fragmentation Needed and DF set) will be
generated, since the Dont Fragment bit was set. When the sending host receives the ICMP error
message he should reduce his assumed PMTU for the path.
The process can end when the estimated PMTU is low enough for the datagrams not to be
fragmented. The source host itself can stop the process if he is willing to have the datagrams
fragmented in some circumstances.
Usually the DF bit would be set in all datagrams, so if a route changes to the destination host,
and the PMTU is lowered, than we would discover it.
The PMTU of a path might be increased over time, again because of a change in the routing
topology. To detect it, a host should periodically increase its assumed PMTU for that link.
The link MTU field in the ICMP Fragmentation Needed and DF set error message, carries the
MTU of the constricting hop, enabling the source host to know the exact value he needs to set the
PMTU for that path to allow the voyage of the datagrams beyond that point (router) without
fragmentation.
B.2 Host specification
A host must reduce his estimated PMTU for the relevant path when he receives the ICMP
Fragmentation Needed and the DF bit was set error message. RFC 1191 does not outline a
specific behavior that is expected from the sending host, because different applications may have
different requirements, and different implementation architectures may favor different strategies.
30
RFC 1191, http://www.ietf.org/rfc/rfc1191.txt, J. Mogul, S. Deering.
31
When we send a packet that it is too large to be sent across a link as a single unit, a router needs to slice/split the
packet into smaller parts, which contain enough information for the receiver to reassemble them. This is called
fragmentation.