set srcIP for ICMP replies, or for locally sourced connections?
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by Phil Begriffenfeldt on March 27, 2008, 12:29 pm
Please log in for more thread options still to allow my routers to traceroute/ping to hosts outside my network; and reply to traceroutes sourced outside the network. Is there a way to force ICMP replies to come from a particular IP address? For example, something like "ip icmp source-interface loopback2", where the ICMP messages generated by my routers would come from a source IP that I can specify? That would help to hide interface IPs from casual miscreants. Alternatively, I could try to block all packets entering my network with destination IPs of my internal links. But that would block replies from simple outbound pings and traceroutes from router CLI sessions. If there were a way to bind locally-sourced ping and traceroute to a particular source IP on each router, then that would also be helpful. Perhaps blocking at the network edge is not productive, and I should be using Control Plane Policing for this? Router platform is mix of VXR and 3BXL. | |||||||||||||
|
Posted by News Reader on March 27, 2008, 2:05 pm
Please log in for more thread options which IP addresses (interfaces) you will permit ICMP. The direction is specified by the keyword "in", in the following example: ip access-group <acl-name> in
For security reasons, you should actually specify the "types" of ICMP you wish to permit (e.g.: echo-reply, time-exceeded, unreachable, administratively-prohibited, packet-too-big, source-quench, parameter-problem). Some types of ICMP should definitely be denied. Other info of interest: Extended ping (via the CLI) permits you to specify the source IP address that will be used in the outbound ping, which then becomes the destination IP address in the reply packet. "Inspection" applied on a LAN interface will open temporary dynamic holes in the return path ACLs to accommodate replies to pings sent from internal hosts. Best Regards, News Reader Phil Begriffenfeldt wrote: > I'd like to block traffic to my routers from outside my network; but
> still to allow my routers to traceroute/ping to hosts outside my > network; and reply to traceroutes sourced outside the network. > > Is there a way to force ICMP replies to come from a particular IP > address? For example, something like "ip icmp source-interface > loopback2", where the ICMP messages generated by my routers would come > from a source IP that I can specify? That would help to hide interface > IPs from casual miscreants. > > Alternatively, I could try to block all packets entering my network with > destination IPs of my internal links. But that would block replies from > simple outbound pings and traceroutes from router CLI sessions. If > there were a way to bind locally-sourced ping and traceroute to a > particular source IP on each router, then that would also be helpful. > > Perhaps blocking at the network edge is not productive, and I should be > using Control Plane Policing for this? Router platform is mix of VXR > and 3BXL. | |||||||||||||
|
Posted by Thrill5 on March 27, 2008, 9:31 pm
Please log in for more thread options Traceroute doesn't use ICMP, it sends udp packets on port 16667 (usually),
increasing the TTL by one. The router that gets the packet with a TTL of 1 will reply with an ICMP TTL exceeded message. > Attach an ACL to the WAN interface (direction "in") that specifies to
> which IP addresses (interfaces) you will permit ICMP. > > The direction is specified by the keyword "in", in the following example: > > ip access-group <acl-name> in > > For security reasons, you should actually specify the "types" of ICMP you > wish to permit (e.g.: echo-reply, time-exceeded, unreachable, > administratively-prohibited, packet-too-big, source-quench, > parameter-problem). Some types of ICMP should definitely be denied. > > Other info of interest: > > Extended ping (via the CLI) permits you to specify the source IP address > that will be used in the outbound ping, which then becomes the destination > IP address in the reply packet. > > "Inspection" applied on a LAN interface will open temporary dynamic holes > in the return path ACLs to accommodate replies to pings sent from internal > hosts. > > > Best Regards, > News Reader > > > Phil Begriffenfeldt wrote: >> I'd like to block traffic to my routers from outside my network; but
>> still to allow my routers to traceroute/ping to hosts outside my network; >> and reply to traceroutes sourced outside the network. >> >> Is there a way to force ICMP replies to come from a particular IP >> address? For example, something like "ip icmp source-interface >> loopback2", where the ICMP messages generated by my routers would come >> from a source IP that I can specify? That would help to hide interface >> IPs from casual miscreants. >> >> Alternatively, I could try to block all packets entering my network with >> destination IPs of my internal links. But that would block replies from >> simple outbound pings and traceroutes from router CLI sessions. If there >> were a way to bind locally-sourced ping and traceroute to a particular >> source IP on each router, then that would also be helpful. >> >> Perhaps blocking at the network edge is not productive, and I should be >> using Control Plane Policing for this? Router platform is mix of VXR and >> 3BXL. | |||||||||||||
|
Posted by News Reader on March 28, 2008, 12:43 am
Please log in for more thread options Beg to differ.
It's system dependent. I just performed a traceroute from a Windows XP host through my IPSec+ GRE VPN, and captured it with Wireshark to confirm my beliefs. A Windows XP (and probably other Windows paltforms) uses ICMP for traceroute. Best Regards, News Reader Thrill5 wrote: > Traceroute doesn't use ICMP, it sends udp packets on port 16667 (usually),
> increasing the TTL by one. The router that gets the packet with a TTL of 1 > will reply with an ICMP TTL exceeded message. > > >> Attach an ACL to the WAN interface (direction "in") that specifies to
>> which IP addresses (interfaces) you will permit ICMP. >> >> The direction is specified by the keyword "in", in the following example: >> >> ip access-group <acl-name> in >> >> For security reasons, you should actually specify the "types" of ICMP you >> wish to permit (e.g.: echo-reply, time-exceeded, unreachable, >> administratively-prohibited, packet-too-big, source-quench, >> parameter-problem). Some types of ICMP should definitely be denied. >> >> Other info of interest: >> >> Extended ping (via the CLI) permits you to specify the source IP address >> that will be used in the outbound ping, which then becomes the destination >> IP address in the reply packet. >> >> "Inspection" applied on a LAN interface will open temporary dynamic holes >> in the return path ACLs to accommodate replies to pings sent from internal >> hosts. >> >> >> Best Regards, >> News Reader >> >> >> Phil Begriffenfeldt wrote: >>> I'd like to block traffic to my routers from outside my network; but
>>> still to allow my routers to traceroute/ping to hosts outside my network; >>> and reply to traceroutes sourced outside the network. >>> >>> Is there a way to force ICMP replies to come from a particular IP >>> address? For example, something like "ip icmp source-interface >>> loopback2", where the ICMP messages generated by my routers would come >>> from a source IP that I can specify? That would help to hide interface >>> IPs from casual miscreants. >>> >>> Alternatively, I could try to block all packets entering my network with >>> destination IPs of my internal links. But that would block replies from >>> simple outbound pings and traceroutes from router CLI sessions. If there >>> were a way to bind locally-sourced ping and traceroute to a particular >>> source IP on each router, then that would also be helpful. >>> >>> Perhaps blocking at the network edge is not productive, and I should be >>> using Control Plane Policing for this? Router platform is mix of VXR and >>> 3BXL. >
> | |||||||||||||
|
Posted by Barry Margolin on March 28, 2008, 10:34 pm
Please log in for more thread options
> Beg to differ.
> > It's system dependent. > > I just performed a traceroute from a Windows XP host through my IPSec+ > GRE VPN, and captured it with Wireshark to confirm my beliefs. > > A Windows XP (and probably other Windows paltforms) uses ICMP for > traceroute. He said he wants to "allow my routers to traceroute/ping to hosts". He didn't say anything about allowing Windows to TRACERT. So Windows's behavior is not relevant, only Cisco's. >
> Best Regards, > News Reader > > Thrill5 wrote: > > Traceroute doesn't use ICMP, it sends udp packets on port 16667 (usually),
> > increasing the TTL by one. The router that gets the packet with a TTL of 1 > > will reply with an ICMP TTL exceeded message. > > > > > >> Attach an ACL to the WAN interface (direction "in") that specifies to
> >> which IP addresses (interfaces) you will permit ICMP. > >> > >> The direction is specified by the keyword "in", in the following example: > >> > >> ip access-group <acl-name> in > >> > >> For security reasons, you should actually specify the "types" of ICMP you > >> wish to permit (e.g.: echo-reply, time-exceeded, unreachable, > >> administratively-prohibited, packet-too-big, source-quench, > >> parameter-problem). Some types of ICMP should definitely be denied. > >> > >> Other info of interest: > >> > >> Extended ping (via the CLI) permits you to specify the source IP address > >> that will be used in the outbound ping, which then becomes the destination > >> IP address in the reply packet. > >> > >> "Inspection" applied on a LAN interface will open temporary dynamic holes > >> in the return path ACLs to accommodate replies to pings sent from internal > >> hosts. > >> > >> > >> Best Regards, > >> News Reader > >> > >> > >> Phil Begriffenfeldt wrote: > >>> I'd like to block traffic to my routers from outside my network; but > >>> still to allow my routers to traceroute/ping to hosts outside my network; > >>> and reply to traceroutes sourced outside the network. > >>> > >>> Is there a way to force ICMP replies to come from a particular IP > >>> address? For example, something like "ip icmp source-interface > >>> loopback2", where the ICMP messages generated by my routers would come > >>> from a source IP that I can specify? That would help to hide interface > >>> IPs from casual miscreants. > >>> > >>> Alternatively, I could try to block all packets entering my network with > >>> destination IPs of my internal links. But that would block replies from > >>> simple outbound pings and traceroutes from router CLI sessions. If there > >>> were a way to bind locally-sourced ping and traceroute to a particular > >>> source IP on each router, then that would also be helpful. > >>> > >>> Perhaps blocking at the network edge is not productive, and I should be > >>> using Control Plane Policing for this? Router platform is mix of VXR and > >>> 3BXL. > >
> > -- Barry Margolin, barmar@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** | |||||||||||||
