4、IP分段问题
There are several issues that make IP fragmentation undesirable. There is a small increase in CPU and memory overhead to fragment an IP datagram. This holds true for the sender as well as for a router in the path between a sender and a receiver. Creating fragments simply involves creating fragment headers and copying the original datagram into the fragments. This can be done fairly efficiently because all the information needed to create the fragments is immediately available.
Fragmentation causes more overhead for the receiver when reassembling the fragments because the receiver must allocate memory for the arriving fragments and coalesce them back into one datagram after all of the fragments are received. Reassembly on a host is not considered a problem because the host has the time and memory resources to devote to this task.
But, reassembly is very inefficient on a router whose primary job is to forward packets as quickly as possible. A router is not designed to hold on to packets for any length of time. Also a router doing reassembly chooses the largest buffer available (18K) with which to work because it has no way of knowing the size of the original IP packet until the last fragment is received.
Another fragmentation issue involves handling dropped fragments. If one fragment of an IP datagram is dropped, then the entire original IP datagram must be resent, and it will also be fragmented. You see an example of this with Network File System (NFS). NFS, by default, has a read and write block size of 8192, so a NFS IP/UDP datagram will be approximately 8500 bytes (including NFS, UDP, and IP headers). A sending station connected to an Ethernet (MTU 1500) will have to fragment the 8500 byte datagram into six pieces; five
6
1500 byte fragments and one 1100 byte fragment. If any of the six fragments is dropped because of a congested link, the complete original datagram will have to be retransmitted, which means that six more fragments will have to be created. If this link drops one in six packets, then the odds are low that any NFS data can be transferred over this link, since at least one IP fragment would be dropped from each NFS 8500 byte original IP datagram.
Firewalls that filter or manipulate packets based on Layer 4 (L4) through Layer 7 (L7) information in the packet may have trouble processing IP fragments correctly. If the IP fragments are out of order, a firewall may block the non-initial fragments because they do not carry the information that would match the packet filter. This would mean that the original IP datagram could not be reassembled by the receiving host. If the firewall is configured to allow non-initial fragments with insufficient information to properly match the filter, then a non-initial fragment attack through the firewall could occur. Also, some network devices (such as Content Switch Engines) direct packets based on L4 through L7 information, and if a packet spans multiple fragments, then the device may have trouble enforcing its policies.
存在下面几个致使IP分段不受欢迎的问题。分段IP数据报时,CPU和内存开销将稍有增加。这对于发送器和接收器路径上的发送器和路由器是适用的。创建分段只涉及创建分段报头和将原始数据报复制到分段中。由于可以立即获取创建分段所需的所有信息,因此可以非常高效地完成该操作。
重组分段时,分段会导致接收者产生更大开销,原因是接收者必须为到达的分段分配内存,然后在收到所有分段后将它们重新组合为一个数据报。在主机上进行重组不会带来任何问题,因为主机拥有完成此任务所需的时间和内存资源。
但是,路由器的主要工作是尽快转发数据包,因此在路由器上进行重组的效率非常低。路由器不是为了将数据包保存任意时长而设计的。此外,执行重
7
组的路由器还会选择可供使用的最大可用缓冲区(18K),因为在收到最后一个分段之前,它无法确定原始IP数据包的大小。
另一个分段问题与处理已丢弃的分段有关。如果IP数据报的某个分段被丢弃,则必须重新发送整个原始IP数据报,并且同样会对该数据报进行分段。以网络文件系统(NFS)为例进行说明。默认情况下,NFS的读写块大小为8192,因此NFS IP/UDP数据报约为8500个字节(包括NFS、UDP和IP报头)。连接到以太网的发送站(MTU 1500)必须将此8500个字节的数据报分成6个部分:五个1500字节的分段和一个1100字节的分段。如果六个分段中任何一个分段由于链路拥塞而被丢弃,将必须重新传输完整的原始数据报,这意味必须另外创建六个分段。如果此链路丢弃六个数据包中的其中一个数据包,那么可通过此链路传输任何NFS数据的可能性将非常低,这是因为每NFS 8500字节的原始IP数据报中将至少丢弃一个IP分段。
防火墙根据数据包中的第4层(L4)至第7层(L7)信息来过滤或处理数据包时,可能很难正确处理IP分段。如果IP分段的顺序不正确,防火墙可能会阻止非初始分段,因为这些分段未包含与数据包过滤器匹配的信息。
这意味着接收主机无法重组原始IP数据报。如果将防火墙配置为允许非初始分段包含不足以正确匹配过滤器的信息,则可能会发生通过防火墙进行非初始分段攻击的情况。此外,部分网络设备(如内容交换引擎)根据L4至L7信息指导数据包,并且如果数据包跨越多个分段,那么设备可能很难强制执行其策略。
5、避免IP分段:TCP MSS用途及其工作原理
The TCP Maximum Segment Size (MSS) defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram may be fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to popular belief, the MSS value is not negotiated between hosts. The sending host is required to limit the size of data in a single TCP segment to a value less than or equal to the MSS reported by the receiving host.
8
Originally, MSS meant how big a buffer (greater than or equal to 65496K) was allocated on a receiving station to be able to store the TCP data contained within a single IP datagram. MSS was the maximum segment (chunk) of data that the TCP receiver was willing to accept. This TCP segment could be as large as 64K (the maximum IP datagram size) and it could be fragmented at the IP layer in order to be transmitted across the network to the receiving host. The receiving host would reassemble the IP datagram before it handed the complete TCP segment to the TCP layer.
Below are a couple of scenarios showing how MSS values are set and used to limit TCP segment sizes, and therefore, IP datagram sizes.
TCP最大数据段大小(MSS)定义一台主机愿意接受的单一TCP/IP数据报中的最大数据量。可以在IP层对此TCP/IP数据报进行分段。MSS值仅作为TCP SYN数据段中的一个TCP报头选项发送。TCP连接的每一端都会向另一端报告其MSS值。与普遍看法相反的是,不会在主机之间协商MSS值。发送主机需要将单个TCP数据段中的数据大小限制为小于或等于接收主机报告的MSS的值。
最初,MSS表示接收站上需要分配的缓冲区的大小(大于或等于65496K),以便能够存储单个IP数据报内包含的TCP数据。MSS是TCP接收器愿意接收的最大数据分段(大块)。此TCP数据段最大可为64K(即IP数据报最大大小),可以在IP层上进行分段,以通过网络传输到接收主机。接收主机将重组IP数据报,然后再将完整的TCP数据段传递给TCP层。
下面几个场景显示了如何设置MSS值并将其用于限制TCP数据段大小,从而限制IP数据报大小。
Scenario 1 illustrates the way MSS was first implemented. Host A has a buffer of 16K and Host B a buffer of 8K. They send and receive their MSS values and adjust their send MSS for sending data to each other. Notice that Host A and Host B will have to fragment the IP datagrams that are larger than the interface MTU but still less than
9
the send MSS because the TCP stack could pass 16K or 8K bytes of data down the stack to IP. In Host B's case, packets could be fragmented twice, once to get onto the Token Ring LAN and again to get onto the Ethernet LAN.
场景1说明了MSS的最初实现方式。主机A的缓冲区为16K,主机B的缓冲区为 8K。这些主机发送和接收其各自的MSS值,并调整其发送MSS以便彼此发送数据。请注意,主机A和主机B必须对大于接口MTU、但仍小于发送MSS的IP数据报进行分段,这是因为TCP堆栈可能将16K或8K字节的数据沿堆栈向下传递到IP。以主机B为例,可以对数据包进行两次分段,一次分段在令牌环LAN上执行,另一次在以太网LAN上执行。
场景1
1. Host A sends its MSS value of 16K to Host B. 主机A将其MSS值16K发送到主机B。
2. Host B receives the 16K MSS value from Host A. 主机B收到来自主机A的MSS值16K。
3. Host B sets its send MSS value to 16K. 主机B将其发送 MSS 值设置为16K。
4. Host B sends its MSS value of 8K to Host A. 主机B将其 MSS 值8K发送到主机A。
5. Host A receives the 8K MSS value from Host B.
10