FragGuide: Enforcing Network Policies on Fragmented Packets

Network Functions (NFs) are commonly used to provide key security and performance guarantees in networks. However, this is greatly challenged by IP fragments. Since only the first fragment will keep complete layer-4 (L4) header during fragmentation, a firewall that is configured to let this packet through may drop all subsequent fragments due to missing L4 headers, causing policy violations. Also, the incomplete payload in fragments could reduce processing accuracy of NFs (e.g., intrusion detection system) To address these challenges, we present FragGuide, a transparent framework to assist NFs handling fragments correctly efficiently without requiring any modification to NFs. Our experiment results show that FragGuide can achieve 100% accuracy and zero invalid fragments for processing fragments in firewalls, and improve detection rate of IDS by 15.63% on average, while guaranteeing lower processing latency.