The successful transmission of messages over a packet-based network is governed by a multiplicity of different protocols which prescribe formats for message data, packets and packets in successive layers of encapsulation.
The ‘transport layer’ provides logical communication between processes running on different hosts (i.e. source host and destination host). A common transport layer protocol such as TCP (transmission control protocol) provides for such logical communication and a reliable data transfer service in the sense that it ensures ultimately that successive segments of a message are assembled at a destination host in a complete and correct order.
The network layer protocol, of which the most common example is IP (internet protocol) provides for proper addressing of message segments that travel between different networks. The most common form of IP currently is known as IPv4 (IP version 4), and a packet conforming to that version is characterised by a header that includes, among other things, field identifying the version number, the header length, the type of service, the total packet length, an identifier, various flags, an offset, a time-to-live field, an identification of an upper layer protocol, a header check sum and source IP address and a destination IP address, an options field followed by message data.
The third layer under discussion is the link layer, or media access control layer, which governs the transmission of a packet from one device to another in accordance with the link layer addressing of the devices or network cards that a packet will encounter on its route between source and destination.
As will be appreciated, there are in practice additional layers of encapsulation necessitated by such processes as encryption and tunnelling. Both of these processes add, as will be explained with reference to a typical example, substantially to the length occupied by header data in a packet.
It is both theoretically and practically desirable for IP packets to be completely encapsulated each in a single link layer packet for transport from one router to the next. However, the maximum amount of data that a link layer packet can carry, known as the MTU (maximum transfer unit), varies from one link layer protocol to another. For example, ‘Ethernet’ packets can carry approximately 1500 bytes of data whereas various wide area protocols are limited to a MTU of (for example) 576 bytes. There is a general problem that each link along the route between source and destination might use different link layer protocols and each of these protocols can have different MTUs.
Since the size of an IP packet and the MTU can both vary, sometimes the packet size can exceed the MTU; this is liable to occur when header overheads from encryption and tunnelling are added.
Accordingly, it is known to be necessary, though not desirable, to allow fragmentation of IP packets. If, for example, IPv4 is employed, fragmentation may be performed either at the source or at an intermediate router. To assist in the final reassembly of the fragments of an IP packet, the header prescribed for IPv4 includes, as the 5th to 8th bytes of the header identification field, a flag field and a fragmentation field. Accordingly, when an IPv4 packet is created, the sending host ‘stamps’ the packet with an identification number as well as the source and destination addresses. Moreover, the sending host increments the identification number for each packet it sends. When a router needs to fragment a packet into separate frames each resulting ‘fragment’ is ‘stamped’ with a source address, destination address and identification number of the original packet, as well as a fragment offset which indicates by how many bytes this fragment is offset from the original packet. Accordingly, when a destination host receives a series of frames from the same sending host, it can examine the identification numbers of the frames to determine which of the frames comprise fragments of the same original packet. Because the internet protocol does not guarantee delivery (being principally an addressing system) one or more of the fragments may never arrive at the destination. For this reason, in order for the destination host to determine that it has received the last fragment of the original packet, it is conventional to set the last fragment with a ‘flag’ bit set to zero and to set all the other fragments with this flag bit set to ‘one’. Further, in order for the destination host to determine whether a fragment is missing, and also to be able to reassemble the fragments in their proper order, an offset field is used to specify where the fragment fits within the original IP packet.
If packets conforming to IPv6 (IP version 6) are employed they would be handled in basically the same manner, although the MTU has to be larger and fragmentation is indicated by a fragmentation extension header rather than by the ordinary header as in IPv4.
Reassembly of fragmented packets is an undesirable and time-consuming process. The difficulties are now compounded by the extensive use of tunnelling, as in virtual private networks (VPNs) and enciphering, for example by means of IP security (IPSEC). For example, one way in which a virtual private network can be organised is to employ packets which use UDP as a transport protocol and a tunnelling protocol such as L2TP and to encapsulate UDP datagrams using an enciphering protocol within packets that can be transported generally, that is to say packets conforming to an internetworking protocol such as IP. The encapsulation may therefore, where the overall internetworking protocol is IP, be an IPSEC protocol such as AH (authentication header) or ESP (encapsulation security protocol).
One effect of the use of tunnelling and/or enciphering is a substantial increase in the size of an IP packet. It is common therefore to find that if such a packet passes through an IPSEC based VPN, the packet will have an added header which causes the packet to exceed the maximum transmission unit, being therefore fragmented into two separate frames. In general, as more networks employ encryption and tunnelling as methods for the secure transmission of data between hosts, the additional security headers used to implement the security scheme result in increased fragmentation.
Packets which have been first encrypted and then fragmented into distinct frames, for example as a result of the extra header length, must currently be defragmented and then decrypted before they may be forwarded to a host. This causes an additional latency in terms of clock cycles. Furthermore, since the defragmenting and reassembly process is usually offloaded to a separate processor, offloading causes substantial overhead and adversely affects the overall throughput.