[nsp] Re: RPF problem with ICMP unreachables

Hank Nussbacher hank at att.net.il
Mon Mar 17 13:15:58 EST 2003 

Posted Nov 24:
>I have a problem with a customer when running simple RPF checking ("ip 
>verify unicast reverse-path") to the customer.  The problem is not on the 
>side of the my router running RPF checking but rather on his side - and we 
>have tried numerous different versions of IOS on his side.  He announces a 
>/27 to me via BGP.  Suppose we call it 10.117.80.224/27.  A user on my 
>side now tries to ping 10.117.80.226/32.  The IP is routed to his router 
>but his router has no route to this specific IP.  What should happen is 
>the interface facing me should return the ICMP error message.  But that 
>doesn't happen.  His router returns the ICMP error message with the IP 
>address of the interface which has the *highest* IP address (which happens 
>to start with 212.x.x.x) on that router.  My RPF check drops the packet 
>(correctly).
>
>How does one force a router to not use *highest* IP address to return ICMP 
>unreachables and instead use the interface from where the ICMP came?
>
>-Hank

To which Rajesh Talpade rrt at research.telcordia.com responded:

>Wouldn't this be rather hard to do since ICMP messages are processed
>inside the router's processing engine, and such ability requires keeping
>state about what interface an IP packet arrived on?
>
>Also, the path back to the ICMP originator may not be over the interface
>that the ICMP arrived into the router, so what IP address would one
>assign as the source of the ICMP unreachable?

Rajesh wins the prize.  Cisco recently closed CSCdz62987 stating that it 
can't do it in IOS :-)

         CSCdz62987 Bug Details
Headline        Unreachables sent with wrong source IP address
Product c7500   Model
Component       ip      Duplicate of
Severity        3       Status  Closed
First Found-in Version  12.2(12a) All affected versions

A Cisco router running 12.2(12a) may send ICMP unreachable
with the source IP address set to the IP address of the interface
on which the non-routable packet arrived instead of the IP address
of the outgoing interface towards the other box.

I'll have to learn to live with it.

-Hank

More information about the cisco-nsp mailing list