From: Priscilla Oppenheimer (cilla@xxxxxxxxxxxxx)
Date: Mon Feb 26 2001 - 17:07:44 GMT-3
I just wanted to make one correction. Record Route is an IP option. It's
not specific to ICMP. It is added to an IP header. It can be used on any
type of IP packet as long as the source, destination, and intermediate
routers support it.
As you say, the RR option isn't useful on large networks because there's
only room for 9 routers to add their addresses. The problem is that the IP
header-length field is only 4 bits. If all bits are set to 1s, then we can
have 15 32-bit words or 60 bytes in the IP header. Take away 20 for the
normal part of the IP header, and 3 for overhead associated with the RR
option, and you are left with only 37 bytes. Nine routers can use 4 bytes
each to record their addresses.
When the RR option is used, the first three bytes of the options field in
the IP header look like this:
Code = 7
Length = total number of bytes, which depends on how many routers have
added their address
Ptr = increments as each router adds its address, aids in the next router
figuring out where it should add its address
So, to make a short story long, if you wanted to do an access list to block
RR, you would have to block IP packets that use option 7. This would be
quite different than an access list to block traceroute, which is a UDP
packet (when Cisco traceroute is used) or a ping (when Microsoft traceroute
is used.)
Priscilla
>2. There is however another option and that is the ICMP Record Route
>function. It is a specific ICMP packet type in which the routers along a
>given path write their IP address on the RR ICMP header field. This however
>has severe limitations, because the maximum size an IP header can have is 60
>bytes (15 times 32 bits - header length field is 4-bits and is counted in
>32-bit words) this means that the maximum number of hops you can record is
>limited to 9 entries. Because of this ICMP RR is not used very much if at
>all. However it is a valid ICMP packet type and that is why you can filter
>it specifically by means of an access list. However doing so will not block
>the traditional traceroute widely used today.
>
>HTH,
>
>-Luis
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>JZ
>Sent: Sunday, February 25, 2001 10:48 PM
>To: ccielab@groupstudy.com
>Subject: How to block "traceroute" output but allow "ping" ?
>
>
>Hi, here is an issue regarding "traceroute" of ICMP:
>
> rL:s0 ------------- s0:rM:S1 --------------s0:rR
> | |
> tr <rR:s0 ip > "ip acc-grp 100 out"
> ping <rR:s0 ip>
>
>Q: apply acl on rM:S1 (out) to block the output of
>traceroute from rL to rR, but allow rL ping rR.
>All routers have full IP connectivity.
>
>My cfg. on rM: (omitting unrelated part)
> !
> int rM:S1
> ip acc-grp 100 out
> !
> acl# 100 deny ICMP any any EQ Traceroute
> acl# 100 perit ip any any
> !
>
>While verify, from rL using "tr <rR:s0 IP> ", the
>traceroute output from both routers -- rM and rR, show up.
>Ping works well.
>
>Was anything wrong in cfg. that fails to block the output
>from rR ?
>
>Thanks in advance ,
>
>JZ
>Sunday
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:03 GMT-3