<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Traceroute via CIPE
From: Hauke Johannknecht <ash,AT,ash,DOT,de>
Date: Wed, 16 Jan 2002 13:45:49 +0100
In-reply-to: <Pine.LNX.4.33.0201151922350.18384-100000@urchin.earth.li>

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 15 Jan 2002, Ganesh Sittampalam wrote:

> Set "cttl 64" in all your CIPE option files. I don't recall exactly what
> the problem is, but it's something to do with the relationship between the
> TTL of the carrier packets and the TTL of the payload packets meaning
> that they get dropped without the appropriate ICMP getting back to
> traceroute.

its not a real problem, traceroute still works.
its not even cipe-specific but applies to any tunnel that
inherits the ttl of the encapsulated packets.
you will see a "gap" in the trace that has the same "size" as the
number of hops that are covered by the tunnel.

lets say you have three hops from the origin of your trace to the
router doing the tunneling and five hops covered by the tunnel.
your trace starts sending three packets with a ttl of 1, getting
back responses from the first hop. now three packets with a ttl
of 2. then a ttl of 3, getting a response from the "inner"
interface of the tunnelendpoint.

the next three packets get to the tunnelrouter with a ttl of 1,
the encapsulated packets inherit this ttl, so the first hop on
the outside of the tunnel sends back the "icmp-its-dead"
responses to the tunnelbox. but this tunnelbox cant know what to
do with these packets without keeping track of everything it
forwards, so it cant translate the responses to send them back to
your tracing box. so you see timeouts in your trace. this will
happen till the ttl is big enough for the packets to reach the
other end (position 9 in our example) of the tunnel. after this
the trace will continue as usual.

setting the transport ttl to some value bigger than the number of
hops between the tunnelendpoints will remove this "problem" and
will even obfuscate some hints about your "internal" network
structure an attacker might get from watching the "ttl inherit"
tunneled packets.

HTH,
  Hauke

- -- 
Hauke Johannknecht        Berlin / Germany        HJ422-RIPE
Use PGP ! -> lynx -dump http://www.ash.de/ash.asc | pgp -kaf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQEVAwUBPEVw6XO2fBh4VhzZAQFUTwgArBW2+Md7UmffqRFO62ZydxVW7bfA06NH
m6gZ0duu0JjK8+fyGc+iTgTym/RfA984fvbivDlmWW75BgW96hJYWepoAr46Sw/J
VeSdYHOgKt1ARwACrFos+0Yr6AIuT48zBKafI7o/O0oFqOAIkEYjGmN5JVgFkwu+
Lx6yeXWa9JBw+XkL3AMKORYb/oLAZXMENN98rhgY955+Gz6m86oPBaJojn5YZXjf
+c73zrO+6AlO7uIfT8Uj/54l6pO/QF7xbWb/cAKEfay0q63hDeB1nzNO1Q+M1QCU
wAP7mtQSvvOCn2AMZjnf7zXLIKpjsRa4KwhyO7kjWS6fXAR8xG2n5g==
=sjpG
-----END PGP SIGNATURE-----





<< | Thread Index | >> ]    [ << | Date Index | >> ]