Re: CBAC from Scott M Vermillion on 2009-09-07 (Ccielab archives 09/2009)

From: Scott M Vermillion <scott_ccie_list_at_it-ag.com>
Date: Sun, 6 Sep 2009 21:55:33 -0600

Hi Jacob,

Yes, there are likely many ways to check -- assuming you can create
the half-open scenario for IOS to react to in the first place. Any
thoughts there? Yersinia or something along that line?

Regards,

Scott

On Sep 6, 2009, at 9:07 , Jacob Uecker wrote:

> I have always heard of using TCP RSTs instead of FINs. You could
> always use a SPAN port and check :)
>
>
>
> Thanks,
>
> Jacob Uecker
> CCIE# 24481
>
> Development Engineer
> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-8012
>
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
>
> From: nobody_at_groupstudy.com on behalf of Anantha Subramanian Natarajan
> Sent: Sun 9/6/2009 7:21 PM
> To: Scott M Vermillion; Cisco certification
> Subject: Re: CBAC
>
> Thank you Scott M Vermillion for your thoughts and inferences.
>
> Regards
> Anantha Subramanian Natarajan
>
> On Sun, Sep 6, 2009 at 9:19 PM, Scott M Vermillion <
> scott_ccie_list_at_it-ag.com> wrote:
>
> > My understanding is that it sends TCP RST in both directions,
> although I
> > couldn't come up with a direct quote to offer as proof (plenty of
> quotes
> > that state that as fact where TCP intercept is concerned, but not
> CBAC
> > specifically). A TCP FIN wouldn't be my first guess, as that's
> the means of
> > closing an *established* socket. What we're dealing with here is
> half-open
> > connections instead. So my vote is on a RST, but I'm not sure how
> to lab
> > this up. A means to generate a TCP SYN followed by nothing else
> would be
> > required. No doubt such a thing exists but I'm just not sure I
> have it
> > readily available on any of my existing lab gear. Anyone else?
> >
> >
> > On Sep 6, 2009, at 5:17 , Andy Reid wrote:
> >
> > Hi Ananatha,
> >>
> >> I have never noticed that part of the description before : "it
> notifies
> >> both parties that the connection has been terminated". I can only
> assume
> >> that it sends a FIN packet in both directions after the timeout
> occurs
> >> to fully close the connection, though I have not tested this
> specific
> >> function in my lab, i.e. CBAC sending TCP packets on behalf of
> hosts.
> >> Can anyone else confirm or otherwise explain the action of "ip
> inspect
> >> tcp synwait-time".
> >>
> >> Thanks, Andy
> >>
> >> Anantha Subramanian Natarajan wrote:
> >>
> >>> Hi Andy,
> >>>
> >>> Thank you very much for the explanation.I am trying to understand
> >>> the below highlighted statement,how it notifies the parties that
> the
> >>> connection is terminated,is it by sending some signal (Some
> thing like
> >>> RST or ?) ....Kindly help me to understand
> >>>
> >>> "This command specifies how long the cisco IOS waits for a TCP
> session
> >>> to be established (to complete three-way handshake).The default
> is 30
> >>> seconds.If the three way handshake is not completed by end of this
> >>> timeout,Cisco IOS removes the entry from its state table and the
> >>> dynamic entry in the ACL(before FAB) and* it notifies both parties
> >>> that the connection has been terminated*"
> >>>
> >>> Thanks for the help
> >>>
> >>> Regards
> >>> Anantha Subramanian Natarajan
> >>>
> >>> On Sun, Sep 6, 2009 at 9:34 AM, Andy Reid <ccie_at_reid.it
> >>> <mailto:ccie_at_reid.it>> wrote:
> >>>
> >>> Hi Anantha,
> >>>
> >>> The command "ip inspect tcp finwait-time" is used when waiting
> for
> >>> the FIN packets (default is 5 seconds).
> >>>
> >>> The "ip inspect tcp synwait-time" is used to protect against
> half
> >>> open sessions (default is 30 seconds) where the session never
> >>> becomes fully established, and therefore FIN packets are never
> sent.
> >>>
> >>> regards Andy
> >>>
> >>> Anantha Subramanian Natarajan wrote:
> >>>
> >>> Hi All,
> >>>
> >>> I was going through CBAC and trying to understand the
> >>> different global
> >>> settings on the same.One of that was "ip inspect tcp
> >>> synwait-time".The way
> >>> in which understood was as stated below(Actually Just
> pasting the
> >>> statements)
> >>>
> >>>
> >>> "This command specifies how long the cisco IOS waits for a
> TCP
> >>> session to be
> >>> established (to complete three-way handshake).The default is
> >>> 30 seconds.If
> >>> the three way handshake is not completed by end of this
> >>> timeout,Cisco IOS
> >>> removes the entry from its state table and the dynamic entry
> >>> in the
> >>> ACL(before FAB) and it notifies both parties that the
> >>> connection has been
> >>> terminated"
> >>>
> >>> In the above I am trying to understood,what kind of
> >>> notification it provides
> >>> to both the parties when the timeout as reached ..Is it TCP
> >>> RST or something
> >>> different.
> >>>
> >>>
> >>>
> >>> Kindly let me know
> >>>
> >>>
> >>>
> >>> Thanks for the help
> >>>
> >>>
> >>>
> >>> Regards
> >>>
> >>> Anantha Subramanian Natarajan
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>> <http://www.ccie.net/>
> >>>
> >>>
> >>>
> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >>
> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Sep 06 2009 - 21:55:33 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:02 ART