Where is the Don't Fragment Bit of the IP Flags used?

Question

I am curious to know where the "Don't Fragment" [DF] Bit of the IP Flags is used. As fragmentation is invisible to higher layers and they don't care too.

I am also looking for an example.

Thanks a lot in advance.

Answer 1

Fragmentation is not always invisible to all upper layers. Some (early and probably current) micro-controller TCP/IP stacks did not implement the full capabilities such as fragmentation handling. Use of the flag in that situation would ensure that the packet arrived in its original form instead of a lot of fragments which the other end couldn't handle.

In addition, when using UDP, it's not necessary for all the fragments to arrive at the destination so, preventing fragmentation means the message either arrives or doesn't arrive - there is no possibility that only a bit of the UDP datagram will reach the destination. I can't recall how long the TCP/IP stack held on to unassembled IP packets waiting for missing fragments, but use of the DF flag meant there were no unnecessary resources tied up during that time.

Finally, you can use it for testing behavior of network infrastructure, such as what happens when you get a packet that's bigger than the maximum transmission unit (DF will prevent that packet from being fragmented to 'squeeze through' the hole).

Answer 2

In addition to @Pax's answer (or perhaps as part of the testing he mentioned), the DP flag is also used in path MTU discovery. This is when you try to figure out what the largest packet that can be sent without being fragmented is, for a given link.

It is often useful to avoid fragmentation, even though higher-level protocols are in theory isolated from the mechanics of it, they can still "feel" the consequences. If a single application-level write() to the network socket ends up being fragmented because it is too large, and one of the fragments is lost in the network, the entire IP packet will be lost. This of course affects throughput.

For this reason, it is often desirable to know the maximum transmission unit, i.e. the largest packet that can be sent to a destination without being fragmented. Path MTU discovery is used to find this size, by simply setting the DP bit and sending successively larger packets until the network reports (over ICMP) a failure.

Answer 3

Do note that there is no standard way to set DF in C. On Linux, this code works:

result = setsockopt(mysocket, IPPROTO_IP, 
                IP_MTU_DISCOVER, IP_PMTUDISC_DO, sizeof(int));

but it does not on FreeBSD 6

Also, Path MTU discovery is extremely unreliable on the real Internet. Too many broken firewalls and middleboxes filter out ICMP "Packet too big" messages (here is a good way to test a candidate network administrator during an interview: ask him/her to stop ping and he/she will probably block completely ICMP.) See RFC 2923: "TCP Problems with Path MTU Discovery"

That's the reason why the IETF now suggest a new way to test the MTU, without relying on Path MTU Discovery: RFC 4821: "Packetization Layer Path MTU Discovery"