RE: Security Question (Traceroute)

From: Mike Haddad (mike.haddad@hotmail.com)
Date: Sun Mar 16 2008 - 05:39:15 ART

• Next message: Paul Cosgrove: "Re: Route selection for Inter Area routes"
• Previous message: Ahsan Mohiuddin: "Re: Security Question (Traceroute)"
• Maybe in reply to: Mike Haddad: "Security Question (Traceroute)"
• Next in thread: Joseph Saad: "Re: Security Question (Traceroute)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Ahsan for the feedback however I have the below question:
To allow traceroute from networks behind my router I allow the below outbound
icmp time-exceed
icmp host-unreachable

To allow trace-route to transit my router OR to my router I have to allow the
below inbound
icmp time-exceed
icmp host-unreachable

is that right?

Thanks,

Date: Sun, 16 Mar 2008 01:15:56 -0700From: ahsan.mohiuddin@yahoo.comSubject:
Re: Security Question (Traceroute)To: mike.haddad@hotmail.com;
ccielab@groupstudy.com
Mike,

there is no need to allow UDP inbound. If the UDP port numbers you mentioned
are allowed outbound, cisco traceroute will invoke 1) icmp time-exceeded
response from transit router(s) and, 2) an icmp port-unreachable response from
destination.

So, even for Cisco's UDP-based implementation of traceroute, you just need to
ensure that these two icmp type codes are allowed inbound i.e. time-exceed and
port-unreachable.

HTH,
Ahsan Mike Haddad <mike.haddad@hotmail.com> wrote:
Hello,I know that traceroute varies depening on the platform used. Some
platformuse ICMP and some others use UDP as in cisco routers. THe issue is if
I wasrequested to allow traceroute inbound what should I choose UDP or
ICMP?ICMP ACL:permit icmp any any time-exceededpermit icmp any any
port-unreachableThe above will allow traceroute Inbound and outboundUDP
AC:Permit udp any any range 33434 33464The above will allow traceroute Inbound
and outbound using UDPI appreciate your clarification and please correct me if
I am
incorrect,Regards,___________________________________________________________
______Your chance to win great prizes with Windows Live Mail and Rogers
MobileMail.Click here to learn
how.http://g.msn.ca/ca55/207_________________________________________________
______________________Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html

Looking for last minute shopping deals? Find them fast with Yahoo! Search.

• Next message: Paul Cosgrove: "Re: Route selection for Inter Area routes"
• Previous message: Ahsan Mohiuddin: "Re: Security Question (Traceroute)"
• Maybe in reply to: Mike Haddad: "Security Question (Traceroute)"
• Next in thread: Joseph Saad: "Re: Security Question (Traceroute)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART