IP Identification why zero?

I must say that network troubleshooting is not an easy task. Especially if you need to analyze thousands of packets in packet captures or lines of flow traces. IP ID is a field I use to compare captures taken at different segments most of the time. Also it is a crucial field for me to find the right packet in the flow trace. I didn’t know that this field can be zero till I notice it in a flow trace. Following captured packet is a SYN-ACK segment from a Linux box. ip_identification_zero

and Identification field is 0. If you have multiple SYN-ACKs from the same source your Seq,Ack numbers will also be the same which means you have literally no way to distinguish two packets apart from timing. I have searched for a way to disable this zero ID feature to make it unique in Linux but there doesn’t seem to exist any way. When I was searching some documentation to find the reason for this zero ID, I have found a very recent RFC Updated Specification of the IPv4 ID Field. Here is the text that I really didn’t like on this RFC;

RFC doesn’t enforce anything on the value and also states that originating source MAY set the field of atomic datagrams to any value. RFC also touches on the performance impact of uniqueness of ID field for a given source/destination.

In my humble opinion, this field should never have zero value at least not for me:) and Linux should have a sysctl switch to disable this behaviour.

Especially if you have an IPSEC VPN connection and you need to take a packet capture, you have almost no way to make a comparison between packet captures. Wouldn’t it be nice temporarily copy ip identification field value to the outside header of an ESP packet or a way to let the troubleshooter match the clear text packet and encrypted one. It would be terrific!

One thought on “IP Identification why zero?

  1. Ana

    I’m facing a similar issue, while testing a communication system, we noticed that for pings (ICMP echo requests and replies), the IP header Identifier is also set to 0, we dont’ seem to have a problem with other types of packets (ARPs, and other IP packets (UDP, haven’t tested with TCP segments yet, we get non-zero packet Identifiers. Is there any reason why pings come with IP packet identifiers of value 0? Can’t seem to find any information. Also, what other types of packets should we expect to see identifiers of 0 for? Thanks!

    Reply

You have a feedback?