Re: Security Question (Traceroute)

From: Ahsan Mohiuddin (ahsan.mohiuddin@yahoo.com)
Date: Sun Mar 16 2008 - 05:15:56 ART

• Next message: Mike Haddad: "RE: Security Question (Traceroute)"
• Previous message: Mike Haddad: "RE: NBAR Classification Question"
• Maybe in reply to: Mike Haddad: "Security Question (Traceroute)"
• Next in thread: Mike Haddad: "RE: Security Question (Traceroute)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mike,
   
  there is no need to allow UDP inbound. If the UDP port numbers you mentioned are allowed outbound, cisco traceroute will invoke 1) icmp time-exceeded response from transit router(s) and, 2) an icmp port-unreachable response from destination.
   
  So, even for Cisco's UDP-based implementation of traceroute, you just need to ensure that these two icmp type codes are allowed inbound i.e. time-exceed and port-unreachable.
   
  HTH,
  Ahsan

Mike Haddad <mike.haddad@hotmail.com> wrote:
  Hello,

I know that traceroute varies depening on the platform used. Some platform
use ICMP and some others use UDP as in cisco routers. THe issue is if I was
requested to allow traceroute inbound what should I choose UDP or ICMP?
ICMP ACL:
permit icmp any any time-exceeded
permit icmp any any port-unreachable

The above will allow traceroute Inbound and outbound

UDP AC:
Permit udp any any range 33434 33464

The above will allow traceroute Inbound and outbound using UDP

I appreciate your clarification and please correct me if I am incorrect,
Regards,

• Next message: Mike Haddad: "RE: Security Question (Traceroute)"
• Previous message: Mike Haddad: "RE: NBAR Classification Question"
• Maybe in reply to: Mike Haddad: "Security Question (Traceroute)"
• Next in thread: Mike Haddad: "RE: Security Question (Traceroute)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART