Introduction
Sharding is the embodiment of group exchange ideas and one of the two main problems solved by the IP protocol. The partitioning algorithm in the IP protocol mainly solves the transmission problem caused by different maximum transmission units (MTU) in different physical networks. However, the continuous sharding and restructuring of groups during the transmission process will bring a lot of work and increase some insecure factors. In this article, we will discuss the causes, principles, implementation, and security issues of IP fragmentation.
1. What is IP sharding?
IP fragmentation is a technical means for transmitting IP packets over the network. When transmitting data packets, the IP Protocol divides the data packets into several parts for transmission and reorganizes them in the target system. This process is called fragmentation ).
Ii. Why do I need IP sharding?
Each physical network specifies the maximum length of the link layer data frame, which is called the link layer MTU (maximum transmission unit ). when the IP protocol transmits data packets, if the length of the IP datagram plus the data frame header is greater than MTU, the data packets are divided into several parts for transmission and reorganized in the target system. For example, the maximum IP packet size (MTU) that can be transmitted over Ethernet is 1500 bytes. If the size of the data frame to be transmitted exceeds 1500 bytes, that is, the IP datagram length is greater than 1472 (1500-20-8 = 1472, normal datagram) bytes, the data frame needs to be transmitted after partitioning.
Iii. Principles and Analysis of IP fragmentation
The process of partitioning and re-assembly is transparent to the transport layer, because after the IP datagram is split, it can be re-assembled only when it reaches the destination site, it is completed by the IP layer of the target end. The data packet after the sharding can also be sharded again as needed.
The IP segment and the complete IP packet have almost the same IP header, and the ID domain is consistent for each segment. In this way, the parts of the same IP packet can be identified during re-assembly. In the IP header, the 16-bit identification number uniquely records the ID of an IP packet. IP segments with the same ID are reassembled; the 13-bit slice offset records the position of an IP slice relative to the entire package. The three-bit mark in the middle of the two tables indicates whether there are new slice after the slice. These three tags constitute all the information of the IP segment (which will be described later), and the receiver can use this information to reorganize the IP data.
1. Functions of Flag Fields
The flag field plays a major role in the Part-based datagram. When the part-based datagram is used, copy its value to one of the Mark Fields in each part, which is called the "not sharding" bit, use one of the bits to represent "more slices ". Except for the last piece, the bit must be set to 1 for each piece of data. The offset field refers to the position at the beginning of the offset of the original datagram. In addition, after the data packet is split, the total length value of each piece should be changed to the length value of the piece. If the bit of the flag field is set to 1, the IP address will not partition the datagram. If you need to partition the data on an intermediate router, then, only the datagram is discarded and an ICMP inaccessibility error message is sent to the source host. If this is not a special requirement, 1 should not be set; the rightmost bit is set to 1, indicating that the message is not the last IP segment. If you intentionally send partial IP fragments instead of all, the target host will always wait for the fragments to consume and occupy system resources. This is the principle of some slice storm attacks. The following uses Ethernet as an example. Due to the electrical limitations of Ethernet transmission, each Ethernet frame has a minimum size of 64 bytes and a maximum size of 1518 bytes, drop the frame header of an Ethernet frame (DMAc destination MAC address 48bit = 6 bytes + SMAC source MAC address 48bit = 6 bytes + type domain 2 bytes) the CRC check for 14bytes and the end of the frame is 4 bytes, and the rest of the lines that carry the upper-layer protocol, that is, the data domain can only have 1500 bytes at the maximum, which is the MTU value mentioned above. This is also a concern of the network layer protocol, because the network layer IP protocol determines whether to partition the data transmitted from the upper layer based on this value. It is like a box that cannot hold a big chunk of bread. We need to cut the bread into slices and put it in multiple boxes.
The following is the format of the flag in the IP header and the significance of each flag:
Identification |
R |
DF |
Mf |
Fragment Offset |
R: Reserved unused; df: Don't fragment, "No sharding" bit. If this bit is set to 1, the IP layer will not split the datagram; Mf: More fragment, for "more slices", in addition to the last one, each part of the datagram must set the bit to 1; Fragment offset: the starting position of the original packet offset. The offset value is multiplied by 8 bytes.
2. MTU Principle
When two remote PCs need to communicate with each other, their data must pass through many routers and a variety of network media to reach the peer end. The MTU of different media in the network is different, it is better than a long pipe, which is composed of different water pipes of different thickness (different MTU). The maximum water volume of the pipe is determined by the finest water pipe in the middle.
For upper-layer protocols at the network layer (here, the TCP/IP protocol family is used as an example), they do not care about the width of the "water pipe". They think this is a thing at the network layer. The Network Layer IP protocol checks the size and size of each packet from the upper layer protocol, and determines whether to perform "sharding" based on the MTU size of the local machine. The biggest disadvantage of sharding is that it reduces the transmission performance. The tasks that can be done once are divided into multiple tasks. Therefore, a higher layer (that is, the transport layer) at the network layer is achieved) you will pay attention to this! For some reason, some higher layers require that I cannot slice this bread. I want a full bread, so I will add a tag in the IP packet header: DF (don't fragment ). In this way, when the IP packet is transmitted in a large network (in the pipe), if the MTU is smaller than the IP packet, the forwarding device will discard the packet as required. Then, an error message is returned to the sender. This will often cause some communication problems, but fortunately most of the network links MTU are 1500 or greater than 1500 (only 576 of the X.25 network and 296 of the point-to-point network is less than 1500 ).
For UDP protocol, this protocol itself is connectionless and does not care about the arrival sequence of data packets and whether the packets arrive correctly. Generally, UDP applications have no special requirements on the fragment.
The TCP protocol is different. This protocol is a connection-oriented protocol. For TCP, it is very concerned about the arrival sequence of data packets and whether errors occur during transmission. Therefore, some TCP applications have requirements on fragment-they cannot fragment (DF ).
3. MSS principles
MSS (maxmum sigmentation size) is the maximum data segment that can be transmitted each time by a TCP packet. To achieve optimal Transmission Performance, TCP usually needs to negotiate the MSS value of both parties when establishing a connection, this value is often replaced by the MTU value when the TCP protocol is implemented (the size of the IP packet header is reduced by 20 bytes and the size of the TCP data segment is 20 bytes), so the MSS is usually 1460. Both parties will determine the maximum MSS value for this connection based on the minimum MSS value provided by both parties.
When an IP datagram is sharded, each segment becomes a group with its own IP header and is independent from other groups when routing is selected. In this way, the data packets may be out of order when they arrive at the target end, but there is enough information in the IP header to allow the receiving end to correctly assemble the data packets.
Although the IP sharding process Looks transparent, one thing you don't want to use is to re-transmit the entire datagram even if only one piece of data is lost. Because the IP layer itself does not have a mechanism for timeout retransmission-the higher layer is responsible for timeout and retransmission (TCP has a timeout and retransmission mechanism, but UDP does not. Some UDP applications also execute timeout and retransmission ). When a piece of data from a TCP packet segment is lost, TCP resends the entire TCP packet segment after the timeout. The packet segment corresponds to an IP datagram. There is no way to re-transmit only one piece of data. In fact, if the data packet is partitioned by an intermediate router instead of the starting system, the starting system cannot know how the data packet is partitioned. For this reason, you often need to avoid sharding.
Iv. Principles of IP sharding Algorithms
Slice is one of the most important tasks of the IP layer. The main idea of its processing is that when a packet enters another Network B from Network, if the data packet of the original network is longer than the MTU length of another network or interface, the data packet must be split (if DF is set to 1, the data packet is discarded and the ICMP unattainable error message is sent back ). Therefore, there are several identification fields in the IP packet header that indicate the common identification number, the shard offset, whether the last shard and whether to allow the shard. The gateway during transmission uses these identification domains to perform further sharding. The host re-assembles the received parts to restore the data. Therefore, when a packet passes through network monitoring devices, security devices, and system management devices, data packets must be sliced or reorganized to obtain information and process data.
V. Security Issues of IP fragmentation
IP fragmentation is a common technology used to transmit IP packets over the network, but there are some security risks. Ping of death, Teardrop, and other attacks may cause some systems to crash or restart during the reorganization of IP segments. In addition to DoS attacks, some IP segment attacks are also commonly used to avoid firewall or network intrusion detection systems. Some routers or network-based Intrusion Detection Systems (NIDS) cannot perform normal filtering or detection due to the lack of IP segment reorganization capabilities.
This section describes tiny fragment Attacks:
Tiny fragment attack is an attack that uses malicious operations to send extremely small fragments to bypass the packet filtering system or intrusion detection system. Through malicious operations, attackers can distribute the TCP Header (usually 20 bytes) in two shards, so that the destination port number can be included in the second shard. For a package filtering device or intrusion detection system, you must first determine the destination port number to allow/deny measures. However, because the destination port number is located in the second shard through malicious fragment, the packet filtering device determines whether the next Shard is allowed by judging the first shard. However, after these shards are reorganized on the target host, various attacks will be formed. This method can be used to bypass some intrusion detection systems and some security filtering systems. Currently, some smart packet filtering devices directly discard the parts that do not contain port information in the header.