RE: icmp filtering

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Fri Jun 11 2004 - 15:54:25 GMT-3

• Next message: MADMAN: "Re: recertification"
• Previous message: John Jiang: "recertification"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Brian McGahan: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ken,
        It is important to think of traceroute as a technique and not
necessarily an application as there are various implementations of
traceroute. Some implementations use UDP packets to trigger the
responses from the routers in the path and the final destination, while
others use ICMP and some even use TCP. It doesn't necessarily matter
what type of packets are used, as the goal of traceroute is to find the
path the packets take between the source and destination. So, this
means that someone can not correctly say that traceroute is UDP or ICMP.
It is going to depend on the particular implementation of traceroute
they are referring too. If they are referring to the Cisco IOS, then
you can say that Cisco's implementation uses UDP to trigger the
responses.

        For traceroute to find the path the packets take between the
source and destination traceroute needs to accomplish two tasks. The
first task is to discover any routers that are along the path. This is
done by manipulating the time-to-live (TTL). The second task is to have
the destination respond so that traceroute knows that the destination
has been reached. Depending on the particular implementation of
traceroute, this response could be an ICMP echo reply, ICMP port
unreachable, or in the case of TCP based traceroute, a 'SYN, ACK'.

Here is an example of a traceroute implementation that uses TCP.

[root@Homer bdennis]# tcptraceroute -n www.cisco.com 80
Selected device eth0, address 172.16.1.250, port 32795 for outgoing
packets
Tracing the path to www.cisco.com (198.133.219.25) on TCP port 80, 30
hops max
 1 64.172.154.254 (64.172.154.254) 38.485 ms 13.425 ms 39.358 ms
 2 63.234.16.33 (63.234.16.33) 13.793 ms 15.680 ms 26.380 ms
 3 63.234.16.8 (63.234.16.8) 15.852 ms 28.993 ms 13.263 ms
 4 151.164.181.73 (151.164.181.73) 34.957 ms 36.938 ms 31.576 ms
 5 151.164.240.134 (151.164.240.134) 31.983 ms 34.405 ms 31.756 ms
 6 144.228.44.49 (144.228.44.49) 33.196 ms 34.641 ms 31.970 ms
 7 144.232.0.225 (144.232.0.225) 31.998 ms 36.637 ms 31.794 ms
 8 144.232.3.138 (144.232.3.138) 31.458 ms 34.687 ms 31.498 ms
 9 144.228.44.14 (144.228.44.14) 32.125 ms 34.090 ms 31.759 ms
10 128.107.239.89 (128.107.239.89) 31.990 ms 34.416 ms 31.970 ms
11 128.107.239.98 (128.107.239.98) 34.473 ms 36.888 ms 31.753 ms
12 198.133.219.25 (198.133.219.25) [open] 31.808 ms 39.538 ms 37.105
ms
[root@Homer bdennis]#

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Kenneth Wygand
Sent: Friday, June 11, 2004 7:31 AM
To: Brian McGahan; ccie2be; Group Study
Subject: RE: icmp filtering

Figure that out. Cisco traceroute uses UDP, yet it's matched in an ACL
as "permit _icmp_ any any time-exceeded" and "permit _icmp_ any any
unreachable".

Is it even possible to match traceroutes with a "permit udp" command?

Kenneth E. Wygand
Systems Engineer, Project Services
CISSP #37102, CCNP, CCDP, ACSP, Cisco IPT Design Specialist, MCP, CNA,
Network+, A+
Custom Computer Specialists, Inc.
"The only unattainable goal is the one not attempted."
-Anonymous

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian McGahan
Sent: Tuesday, June 08, 2004 7:18 PM
To: ccie2be; Group Study
Subject: RE: icmp filtering

> ***************
> Since a traceroute uses ping, and the icmp message type isn't
considered
> since all messages types are allowed, wouldn't any type of icmp
message
> type
> be allowed back in by virtue of the "permit icmp any any reflect ICMP"
and
> therefore negate the need for explicitly allowing
> the icmp time-exceeded and unreachable message types?
>
> **********************

Cisco traceroute doesn't use ICMP, it uses UDP. Read Lab 3 task 10.1 -
10.3 breakdown for more info.

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705

> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Tuesday, June 08, 2004 6:07 PM
> To: Brian McGahan; Group Study
> Subject: Re: icmp filtering
>
> Thanks for getting back to me.
>
> See comments in-line.
> ----- Original Message -----
> From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
<ccielab@groupstudy.com>
> Sent: Tuesday, June 08, 2004 6:02 PM
> Subject: RE: icmp filtering
>
>
> Tim,
>
> What about the question and solution implies this? The question
> says:
>
> "Configure your network so that ICMP traffic is only allowed into your
> network if the traffic was initiated from behind R5. For diagnostic
and
> troubleshooting purposes, ensure that users throughout your network
are
> still able to traceroute from behind R5."
>
> The solution is:
>
> R5:
> interface Ethernet0/1
> ip access-group DENY_SNMP in
> ip access-group EVALUATE_ICMP out
> !
> ip access-list extended DENY_SNMP
> deny udp any any eq snmp
> permit icmp any any time-exceeded
> permit icmp any any unreachable
> evaluate ICMP
> deny icmp any any
> permit ip any any
> !
> ip access-list extended EVALUATE_ICMP
> permit icmp any any reflect ICMP
> permit ip any any
>
> Essentially you are watching ICMP traffic that is exiting:
>
> permit icmp any any reflect ICMP
>
> and you are allowing it back in only if was initiated from the
> inside:
>
> evaluate ICMP
> deny icmp any any
>
> ***************
> Since a traceroute uses ping, and the icmp message type isn't
considered
> since all messages types are allowed, wouldn't any type of icmp
message
> type
> be allowed back in by virtue of the "permit icmp any any reflect ICMP"
and
> therefore negate the need for explicitly allowing
> the icmp time-exceeded and unreachable message types?
>
> **********************
>
> but you are allowing trace replies back:
>
> permit icmp any any time-exceeded
> permit icmp any any unreachable
>
> How does this relate to echo or echo-reply?
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > ccie2be
> > Sent: Tuesday, June 08, 2004 4:40 PM
> > To: Group Study
> > Subject: icmp filtering
> >
> > Hi guys,
> >
> > I hope this isn't too dumb a question, but...
> >
> > Can someone confirm what this acl entry does?
> >
> > ip access-list ext ping
> > permit (or deny) icmp any any <-----
> >
> > In particular, does this allow all icmp message types or just
> echo-request
> > and
> > echo-reply?
> >
> > I've search the Doc Cd and the whole of cisco.com but couldn't find
> > anything
> > definative.
> >
> > I would think it would allow ( or deny) all icmp message types but,
> I'm
> > doing
> > practice IE lab 2, task 10.8 - 10.10 and the solution seems to
> indicate
> > that
> > it only permits message types echo-request and echo-reply.
> >
> > Any feedback would be appreciated. Also, if someone knows of any
> links
> > which
> > discusses in detail, please let me know.
> >
> > TIA, Tim
> >
> >
>

• Next message: MADMAN: "Re: recertification"
• Previous message: John Jiang: "recertification"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Brian McGahan: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:38 GMT-3