Fragmentation is the embodiment of packet switching, and it is also one of the two main problems solved by IP protocol. The fragmentation algorithm in IP protocol mainly solves the transmission problem caused by the difference of the maximum transmission unit (MTU) of different physical networks. However, the continuous fragmentation and reassembly of data packets during transmission will bring a lot of workload and increase some unsafe factors. In this small paper, we will discuss the reason, principle, implementation and security of IP fragmentation.
1. What is IP fragmentation?
IP fragmentation is a technical means to transmit IP messages on the network. When transmitting data packets, IP protocol divides the data packets into several segments for transmission and reassembles them in the target system. This process is called fragmentation.
Second, why is IP fragmented?
Each physical network will specify the maximum length of link-layer data frames, which is called link-layer MTU (Maximum Transmission Unit). In IP protocol, when transmitting a data packet, if the length of the IP datagram after adding the data frame header is longer than MTU, the data packet will be divided into several blocks for transmission and reassembled in the target system. For example, the maximum IP message size (MTU) that can be transmitted in an Ethernet environment is 1500 bytes. If the data frame size to be transmitted exceeds 1500 bytes, that is, the length of IP datagram is greater than1472 (1500-20-8 =1472, ordinary datagram) bytes, it needs to be fragmented before transmission.
Third, the principle and analysis of intellectual property fragmentation
The process of fragmentation and reassembly is transparent to the transport layer, because after IP datagram fragmentation, it can only be reassembled at the destination, and it is completed by the IP layer at the destination. Segmented datagrams can also be segmented again as needed.
IP fragments and complete IP messages almost all have the same IP header, and the ID fields of each fragment are consistent, so that fragments from the same IP message can be identified when reassembling. In the IP header, the 16 bit identification number uniquely records the ID of an IP packet, and IP fragments with the same ID will be reassembled; 13 slice offset records the position of IP slice relative to the whole packet; The 3-bit flag in the middle of these two tables indicates whether there is a new fragment after this fragment. These three signs constitute all the information of IP fragmentation (which will be introduced later), and the receiver can use these information to reorganize IP data.
1, the function of the flag field
Flag field plays an important role in segmented datagram. When a datagram is fragmented, one bit of its value copied to the flag field of each fragment is called "no fragmentation" bit, and one bit is used to indicate "more fragmentation". This bit should be set to 1 for every datagram except the last datagram. The slice offset field refers to the position where the slice offsets the beginning of the original datagram. In addition, when the datagram is segmented, the total length value of each segment should be changed to the length value of the segment. If the bit of the flag field is set to 1, IP will not segment the datagram. If it needs to segment on an intermediate router, it will discard the datagram and send an ICMP unreachable error message to the source host. It should not be set to1if it is not necessary; The rightmost bit 1 indicates that the message is not the last IP fragment. Deliberately sending some IP fragments instead of all will cause the target host to wait for the fragments to consume and occupy system resources. Some fragmented storm attacks are based on this principle. Take Ethernet as an example here. Due to the electrical limitation of Ethernet transmission, the minimum size of each Ethernet frame is 64 bytes, and the maximum size is 15 18 bytes. Throw away the header at the end of the Ethernet frame (DMAC destination MAC address 48 bits = 6 bytes+smac source MAC address 48 bits = 6 bytes+type field 2bytes) 14Bytes and CRC check part 4Bytes, so the place left to carry the upper layer protocol, that is, the data field, can only have 1500Bytes at most, that is, the value of MTU mentioned above. This is also a place that the network layer protocol is very concerned about, because the IP protocol of the network layer will decide whether to fragment the data conveyed by the upper layer according to this value. Just as a box can't hold a big piece of bread, we need to cut the bread into pieces and put it in multiple boxes.
The following is the format of the flag bits in the IP header and the meaning of each flag:
identify
rare
DF
intermediate frequency
Fragment migration
R: keep it unused; DF: No fragmentation, the bit of "No fragmentation". If this bit is set to 1, the IP layer will not fragment the datagram; MF: more fragment, "more fragments", except the last fragment, every other fragment that constitutes the datagram should have its bit set to1; Fragment offset: The fragment is offset from the beginning of the original packet. The number of bytes offset is the value multiplied by 8.
2.MTU principle
When two remote PCs need to communicate, their data needs to go through many routers and various network media to reach the opposite end. The MTU of different media in the network is different, just like a long water pipe, which is composed of water pipes with different thicknesses (MTU is different). The maximum amount of water passing through this section of water pipe is determined by the smallest water pipe in the middle.
For the upper protocols of the network layer (taking TCP/IP protocol family as an example here), they don't care about the thickness of the "water pipe", they think it is a matter of the network layer. The network layer IP protocol will check the size of each packet from the upper layer protocol and decide whether to "segment" according to the size of the local MTU. The biggest disadvantage of fragmentation is that it reduces the transmission performance. What can be done at one time is done many times, so it is often noticed in the implementation of a higher layer of the network layer (that is, the transport layer)! Some executives will ask me that this bread can't be sliced for some reason. I hope the bread is complete, so I will add a label to the IP header: DF (No Fragments). In this way, when an IP packet is transmitted in a large-section network (inside a water pipe), if the MTU is smaller than the IP packet, the forwarding device will discard the packet as required. Then an error message is returned to the sender. This often leads to some communication problems, but fortunately, the MTU of most network links is 1500 or higher (only 576 in X.25 network and 296 in point-to-point network are less than 1500).
For UDP protocol, this protocol itself is a connectionless protocol, and it doesn't care about the arrival order and whether the packets arrive correctly, so the general UDP application has no special requirements for fragmentation.
TCP protocol is different, it is a connection-oriented protocol. For TCP protocol, we are very concerned about the arrival order of data packets and whether there are errors in transmission. Therefore, some TCP applications need fragmentation-no fragmentation (DF).
3.MSS principle
Mss (Maximum Signaling Size) is the largest data segment that a TCP packet can transmit at one time. In order to achieve the best transmission efficiency, TCP protocol usually negotiates the MSS value of both parties when establishing a connection. This value is often replaced by MTU value when TCP protocol is implemented (the size of IP header and the head of TCP data segment need to be subtracted by 20 bytes), so the MSS value is often 1460. Both communication parties will determine the maximum MSS value of this connection according to the minimum MSS value provided by both parties.
When IP datagrams are fragmented, each fragment becomes a packet with its own IP header, which is independent of other packets when routing. In this way, when these datagrams arrive at their destination, they may be out of order, but there is enough information in the IP header for the receiver to assemble these datagrams correctly.
Although the IP fragmentation process seems transparent, one thing people don't want to use is to retransmit the whole datagram even if only one piece of data is lost. Because the IP layer itself has no timeout retransmission mechanism-the higher layer is responsible for timeout and retransmission (TCP has timeout and retransmission mechanism, UDP does not. Some UDP applications themselves perform timeouts and retransmissions). When a fragment in the TCP segment is lost, TCP will resend the whole TCP segment after timeout, which corresponds to an IP datagram. There is no way to resend only one of the datagrams. In fact, if the datagram is segmented by the intermediate router instead of the originating system, then the originating system cannot know how the datagram is segmented. For this reason, it is often necessary to avoid fragmentation.
Fourth, the principle of IP fragmentation algorithm
Fragment reassembly is the most important work of IP layer. Its main idea is that when a packet enters another network B from one network A, if the packet of the original network is longer than the MTU length of another network or interface, it needs to be fragmented (if DF is set to 1, the packet will be discarded and an ICMP unreachable error message will be sent back). Therefore, there are several identification fields in the header of the IP packet to indicate the same identification number of the fragmented packet, the offset of fragmentation, whether it is the last fragmentation and whether fragmentation is allowed. The gateway in the transmission process uses these identification fields to re-fragment, so that the host can reassemble the received fragments to recover the data. Therefore, when a fragmented data packet passes through network monitoring equipment, security equipment and system management equipment, it needs to be fragmented or reorganized to obtain information and process data.
The security problem of verb (verb's abbreviation) IP fragment
IP segmentation is a technology commonly used to transmit IP messages on the network, but there are some security risks. In the process of reassembling IP fragments, attacks such as Ping of Death and teardrop may cause some systems to shut down or restart. In addition to denial of service attacks, some IP fragmentation attacks are often used as a means to avoid firewalls or network intrusion detection systems. Due to the lack of IP segmentation and reassembly, some routers or network-based intrusion detection systems (NIDS) cannot perform normal filtering or detection.
Introduce micro-debris attack:
Micro-fragment attack refers to an attack mode that sends micro-fragments through malicious operations and bypasses the packet filtering system or intrusion detection system. Attackers can distribute TCP headers (usually 20 bytes) in two fragments through malicious operations, so that the destination port number is included in the second fragment. For packet filtering equipment or intrusion detection system, first, allow/prohibit measures are taken by judging the destination port number. However, because the destination port number is located in the second fragment through malicious fragments, the packet filtering device determines whether to allow subsequent fragments to pass through by judging the first fragment. However, these fragments will form various attacks after being reorganized on the target host. This method can bypass some intrusion detection systems and some security filtering systems. At present, some intelligent packet filtering devices directly discard fragments that do not contain port information in the header.