Re: Traceroute and RACL

From: Scott M Vermillion (scott@it-ag.com)
Date: Tue Mar 03 2009 - 23:42:16 ARST

>I found out that MICROSOFT implementation for the TRACEROUTE uses
ICMP to
>send the traffic. So I guess in such cases this command will be
effective to
>allow the traceroute inside outbound [ "access-list 100 permit icmp
any any
>traceroute"]

That would make sense but that's not actually how it works. In fact,
it doesn't work at all. Here's a little cut-and-paste from a couple
of different discussion on the topic last year:

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
GAURAV MADAN
Sent: Monday, November 24, 2008 6:58 AM
To: ccie forum
Subject: Traceroute Block

HI Group

Can someone please confirm if following do the same purpose or are
diff :

R1(config-if)#do sh ip access-li
Extended IP access list TEST
    10 deny icmp any any traceroute
    20 permit ip any any

Extended IP access list TEST1
    10 deny udp any any range 33400 34400 log
    20 permit ip any any
I found 2nd one working for me ..
I actually configured 1st ACL thinking it will work . but it didnt ..
finally googled it to find UDP ports ..
Can someone plzz lemme know where am i missing and how to test this one

Gaurav Madan

        From: scott_ccie_list@it-ag.com
        Subject: RE: Traceroute Block
        Date: November 24, 2008 9:25:45 MST
        To: gauravmadan1177@gmail.com, ccielab@groupstudy.com

Hey Gaurav,

I believe that the 'traceroute' keyword has to do with ICMP Type Code 30
(http://www.iana.org/assignments/icmp-parameters). This never got any
traction and thus is pretty much a historical footnote in IOS.
(http://www.faqs.org/rfcs/rfc1393.html)

Just to prove this to yourself, do the following:

R1(config-ext-nacl)#deny icmp any any 30
R1(config-ext-nacl)#do sh ip access
Extended IP access list test
    10 deny icmp any any traceroute

Regards,

Scott

----------
And also:

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Daniel Kutchin
Sent: Monday, October 20, 2008 2:43 PM
To: ccielab@groupstudy.com
Subject: RE: Access list question (WARNING: Ridiculously Long Follow-Up)

Apparently RFC 1393 isn't being implemented. This acl was toothless dog:

ip access-list extended acl-f0/0-in
deny ip any any option traceroute log
deny udp any any option traceroute log
permit ip any any

Daniel

        From: scott_ccie_list@it-ag.com
        Subject: RE: Access list question (WARNING: Ridiculously Long Follow-
Up)
        Date: October 20, 2008 3:13:37 MDT
        To: daniel@kutchin.com, ccielab@groupstudy.com
        Reply-To: scott_ccie_list@it-ag.com

That seems to be correct Daniel. In theory, this would have allowed a
single packet in the forward direction with one response packet in the
reverse direction at each hop along the way. So we would reduce from (2
packets X no. hops) to (1 + 1 X no. hops). But in the transition, we
would
have had some IP protocol stacks out there supporting this and some
not, so
trace results would have been interesting. And in the end, I think most
(actually all, from what I understand) vendors decided that mucking
with a
stable protocol stack to add in minor bells-and-whistles functionality
such
as this simply wasn't worth the minimal bandwidth savings that would
have
been realized. So it never got past the "experimental" phase.

I found the following quote from RFC1393 to be interesting, though:

"The disadvantage of this method is that the traceroute function will
have to be put into the routers. To counter this disadvantage,
however, is the fact that this mechanism may be easily ported to a
new IP version."

I have no idea where any of this stands as of today, but there's some
interesting stuff out there if you google "traceroute ipv6," such as:

http://www.isoc.org/inet2000/cdproceedings/1e/1e_3.htm

Happy reading,

Scott

>
> On Sat, Feb 28, 2009 at 10:08 PM, Edouard Zorrilla
> <ezorrilla@tsf.com.pe>wrote:
>
>> Right,
>>
>> Cisco routers work with UDP and returns ICMP port-unreacheable and
>> time-exceeded. So first UDP and the return packet is ICMP.
>> Regarfing the
>> RACL, just make sure you allow come back ICMP port-unreacheable and
>> time-exceeded inside inbound ACL and of course allow UDP inside
>> outbound
>> ACL.
>>
>> Rack1R6#sh run int Virtual-Access1
>> Building configuration...
>>
>> Current configuration : 126 bytes
>> !
>> interface Virtual-Access1
>> ip address 54.1.7.6 255.255.255.0
>> ip access-group inbound in
>> ip access-group outbound out
>> end
>>
>> Rack1R6#
>>
>> Rack1R6#sh ip access-lists inbound
>> Extended IP access list inbound
>> 10 permit tcp any any eq bgp (46481 matches)
>> 20 permit tcp any eq bgp any
>> 21 permit icmp any any port-unreachable (19 matches)
>> 22 permit icmp any any time-exceeded
>> 30 evaluate ME
>> 40 permit icmp any any echo-reply
>> 50 deny ip any any log (229160 matches)
>> Rack1R6#
>> Rack1R6#sh ip access-lists outbound
>> Extended IP access list outbound
>> 10 permit tcp any any reflect ME
>> 20 permit udp any any reflect ME (273 matches)
>> 30 permit icmp any any
>> 40 deny ip any any log
>> Rack1R6#
>>
>> Rack1R6#sh ip cef exact-route 183.1.123.2 54.1.7.254
>> 183.1.123.2 -> 54.1.7.254 : Virtual-Access1 (attached)
>> Rack1R6#
>>
>> So let's go to Rack1R2 (183.1.123.2):
>>
>> Rack1R2#traceroute 54.1.7.254
>>
>> Type escape sequence to abort.
>> Tracing the route to 54.1.7.254
>>
>> 1 183.1.123.3 20 msec 8 msec 0 msec
>> 2 183.1.0.5 4 msec 4 msec 0 msec
>> 3 183.1.0.4 4 msec 4 msec 4 msec
>> 4 183.1.46.6 4 msec 4 msec 4 msec
>> 5
>> *Feb 28 11:51:46.523: ICMP: time exceeded rcvd from 183.1.123.3
>> *Feb 28 11:51:46.531: ICMP: time exceeded rcvd from 183.1.123.3
>> *Feb 28 11:51:46.531: ICMP: time exceeded rcvd from 183.1.123.3
>> *Feb 28 11:51:46.535: ICMP: time exceeded rcvd from 183.1.0.5
>> *Feb 28 11:51:46.539: ICMP: time exceeded rcvd from 183.1.0.5
>> *Feb 28 11:51:46.539: ICMP: time exceeded rcvd from 183.1.0.5
>> *Feb 28 11:51:46.543: ICMP: time exceeded rcvd from 183.1.0.4
>> *Feb 28 11:51:46.547: ICMP: time exceeded rcvd from 183.1.0.4
>> *Feb 28 11:51:46.551: ICMP: time exceeded rcvd from 183.1.0.4
>> *Feb 28 11:51:46.555: ICMP: time exceeded rcvd from 183.1.46.6
>> *Feb 28 11:51:46.559: ICMP: time exceeded rcvd from 183.1.46.6
>> *Feb 28 11:51:46.563: ICMP: time exceeded rcvd from 183.1.46.6 *
>> * *
>> 6 * * *
>> 7 54.1.7.254 4 msec
>> *Feb 28 11:52:04.567: ICMP: dst (183.1.123.2) port unreachable rcv
>> from
>> 54.1.7.254 * 4 msec
>> Rack1R2#
>>
>> Rack1R6#sh ip access-lists ME
>> Reflexive IP access list ME
>> permit udp host 54.1.7.254 eq 33448 host 183.1.123.2 eq 41606 (1
>> match)
>> (time left 296)
>> permit udp host 54.1.7.254 eq 33447 host 183.1.123.2 eq 33667 (1
>> match)
>> (time left 296)
>> permit udp host 54.1.7.254 eq 33446 host 183.1.123.2 eq 33777 (1
>> match)
>> (time left 293)
>> Rack1R6#
>>
>> Now, regarding the "access-list 100 permit icmp any any
>> traceroute", I
>> wonder the same before but after make some digging I realize that
>> this is
>> just a kind of historical command, defined in RFC 1393. No more
>> than this,
>> haven't see any application in the real life.
>>
>> Do any one ?
>>
>> Regards
>>
>>
>> ----- Original Message ----- From: "mahmoud genidy" <
>> ccie.mahmoud@gmail.com>
>> To: "Cisco certification" <ccielab@groupstudy.com>
>> Sent: Friday, February 27, 2009 7:11 PM
>> Subject: Traceroute and RACL
>>
>>
>> Hi GS,
>>>
>>> Regarding the TRACEROUTE traffic and how it is related to
>>> Reflexive ACL.
>>>
>>> According to Cisco implementation the TRACEROUTE traffic goes out
>>> as UDP
>>> and
>>> return as ICMP (Port unreachable and Time-Exceeded). Am I correct?!
>>>
>>> BUT I found this command in the DOC CD:
>>>
>>> { Router(config)# *access-list 100 permit icmp any any traceroute* }
>>>
>>> Then I found that TRACEROUTE is ICMP type 30. Now I'm confused how
>>> to
>>> match
>>> it in the OUT and IN direction if I will use RACL!
>>>
>>> Any hints?
>>>
>>> Thanks
>>> Mahmoud.
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:04 ART