Should we completely deprecate IP fragmentation ?

Fragmentation and reassembly have been part of the IPv4 specification seems the beginning. One of the main motivations for including such mechanisms in the network layer is of course to allow IP packets to be exchanged over subnetworks that support different packet sizes. The IPv4 fragmentation forced routers to be able to fragment too large fragments. When routers were entirely software based, doing fragmentation on the router was a viable solution. However, with the advent of hardware assisted routers, performing fragmentation on the routers became quickly too expensive. In a seminal paper, Christopher Kent and Jeff Mogul argued that fragmentation should be considered harmful. This encourage endhosts to avoid in-network packet fragmentation and most TCP implementations now include Path MTU discovery RFC 1191.

When IPv6 was designed, in-network fragmentation was quickly left out. However, the designers of IPv6 still believed in the benefits of fragmentation. IPv6 supports a fragmentation header that can be used by endhosts to fragment packets that are too large for a given path. One of the motivation for host based fragmentation is that some packets need to be transmitted over subnets that only support small packet sizes (IPv6 mandates a minimum MTU of 1280 bytes).

During the last decade, another family of problems has affected IP fragmentation : security. The IP fragmentation and reassembly algorithms are typical of networking code that is rarely used and as a consequence often not as thoroughly tested as other parts of the code. Several attacks have exploited issues in the packet reassembly algorithms and have caused Denial of Service attacks or other types of exploits. IPv4 and IPv6 implementations have been affected by these problems. A recent IETF draft proposes a radical solution to “solve” this security problem : deprecate the IPv6 fragment header. The draft lists several security issues that would be solved by removing this part of IPv6 and also notes that network operators and firewalls vendors have already decided to filter IPv6 fragments at the network edge. Even if IPv6 fragmentation is not officially deprecated, IPv6 fragments become a rare specie that you will less and less often seen in the wild...

6LowPAN networks designed to support Internet of Things based on very low bandwidth wireless looks could have been a refuge to IPv6 fragments. However a recent paper shows that the 6LowPAN specific fragmentation technique which is used in these networks that do not even support 1280 bytes packet also has security problems. Network security is definitely not easy...