Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3071
Views
0
Helpful
1
Replies

Should all IP fragments be dropped on edge Internet router?

rennerg
Level 1
Level 1

‎05-20-2011 08:54 AM - edited ‎03-11-2019 01:36 PM

I'm trying to wrap my head around IP fragmentation.  In looking through Cisco IOS hardening documentation they suggest the implementation of iACL's and in particular they suggest to drop all fragments using commands such as the following:

deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
deny ip any any fragments

As I understand it, fragmented packets don't contain layer 4 information and thus IOS will be allowing/denying based soley on layer 3 information and as such undesired traffic could be let in unintentionally.

My only concern is if by denying all fragments on the edge Internet routers, if there could be any scenario where it would break any of our web applications or any other valid traffic flows coming in to our network from the Internet.  With things such as Firewalls and IPS devices deployed behind the routers would the denying of fragments on the edge Internet router also be necessary?  I'm all for locking things down as much as possible I just want to do so in such a way that it won't break anything else.  I've been searching online to try and find out if there is any valid reason to NOT block this traffic but haven't been coming up with anything one way or the other.  So whether there could be valid reasons why packets are fragmented over the Internet is beyond me.  Any help/thoughts would be greatly appreciated.


Thanks,
Greg

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-20-2011 11:24 AM

Greg,

I will answer in a bit different way, but I hope it will at least answer your questions in part.

Best practice is to avoid fragmentation at all cost - nowadays mostly due to performance reasons (IP fragments are very often causing different,slowe packet processing and of course the overhead on receiver side) rather then security concerns. Typically you do this (avoiding) by changing MSS - since most applications use TCP to send big chunks data.

In an ideal world every host on the internet (or running IPv6) should be able to perform PMTUD (Path MTU Discovery), thus avoiding fragmentation alltogether.


Real world scenario - dropping only fragments without any reverse information will only generate frustrated users. It's best to focus on avoiding fragmentation from your side and handling it correctly if your network receives it (IP virtual-reassambly for instance).

Hope this helps,

Marcin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card