Characteristics of fragmented IP traffic on Internet links

Colleen Shannon, David Moore, k claffy
Cooperative Association for Internet Data Analysis (CAIDA)
San Diego Supercomputer Center
University of California, San Diego

In order to develop new protocols and to predict future trends of Internet traffic, it is necessary to understand the nature of current traffic. Fragmented IP traffic is a unique component of the overall mix of traffic on the Internet that has not been well studied. Many assertions about the nature and extent of fragmented traffic are based in folklore, rather than measurement and analysis. Common folklore includes: fragmented traffic is decreasing or nonexistent, fragmented traffic exists only on LANs (due to NFS) not on backbone links, misconfiguration is causing certain kinds of fragmented traffic to increase, only UDP traffic is fragmented, etc. In this paper, we examine the behavior of measured fragment traffic and compare those results with commonly cited beliefs.

Understanding of the actual prevalence and causes of fragmented traffic may be critical to the success of currently proposed protocols and security efforts. For example, the proposed mechanism for transition between IPv4 and IPv6 networks requires checksums for all fragmented UDP traffic. Thus it is crucial to know whether fragmented UDP traffic without checksums frequently occurs. Also, a recently proposed technique for tracing the sources of denial of service attacks depends on altering the identification field in IP headers. This field is required for IP fragment reassembly, so anything which changes the identification field causes packet loss for fragmented traffic. Prior to the implementation of these proposals, or others like them, it is necessary to understand the actual nature of fragmented IP traffic.

Fragmented traffic causes increased load on routers, through both the division of the original packet and the increased number of packets handled by all subsequent routers. The traffic also causes increased load on links, due to the overhead of an extra IP header for each fragment. Additionally, because all of the fragments are necessary to reassemble the original packet, the probability of successfully delivering a fragmented packet exponentially decreases as a function of the number of fragments, as compared to the normal packet loss rate. This partial packet loss may further increase link and router loading as higher layers retransmit packets.

In order to understand the prevalence, causes, and effects of fragmented IP traffic, we have collected and analyzed many week-long traces taken from several sources. These sources include a university commodity access link, a highly aggregated commercial exchange point, and a local NAP.

In this paper, we describe many characteristics of fragmented traffic, including: the overall number of fragmented packets, the number and sizes of fragments into which an original packet was divided, the distribution of original packet sizes, the distribution of inter-arrival times of the fragments, whether the complete set of fragments that composed an original IP packet was collected, and whether these fragments were reordered by the network.

We also examine the causes of IP packet fragmentation. The effects of NFS, streaming media, networked video games, and tunneled traffic are quantified, as well as the prevalence of machines whose improper configurations were causing excessive amounts of fragmented traffic.