[c-nsp] What MTU for Bellsouth BBG / BRAS <-> LNS l2TP tunnel ?

Hudson Delbert J Contr 61 CS/SCBN Delbert.Hudson at LOSANGELES.AF.MIL
Tue Nov 2 16:32:51 EST 2004


okay,,,,

here is why i have come to hate icmp.

the ICMP/Packet Internet Groper program or ping sends out ICMP Echo Request
type=8 packets, and waits for an ICMP Echo Reply type=0 replies.

If the distant end is up, has an IP stack, and is not behind a device
blocking ICMP echoes (a firewall),
the echo reply will be received by your stack and presented to ping. so as
one can see it indicates that
thate theremote system is up and reachable. 

to prevent scan many firewalls block both outbound request and inbound
replies.

another goof ball fingerprinting techniques involves using ICMP timestamp
replies but only from most Unix systems because
M$ stacks dont implement this functionality, we know is not a winbloze box
we are hitting.

address mask Re-quests (type 16) should only be answered by routers and
should not cross AS boundaries.

source quench and Redirects adjust routing tables and as such should also
never pass a firewall as they can be used to seed DoS and other blends.

time exceeded (type 11, code 0) messages can be used to map networks.

IP headers include a Time-To-Live (TTL) value that gets decremented each
time the IP packet passes through an IP layer. 

TTL prevents packets from looping forever.

imho, icmp is evil as it supplies so much info to the sender that they
really dont need to see.

~piranha

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Gert Doering
Sent: Monday, November 01, 2004 11:28 PM
To: Randy Bush
Cc: Phillip Vandry; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] What MTU for Bellsouth BBG / BRAS <-> LNS l2TP
tunnel?


Hi,

On Mon, Nov 01, 2004 at 10:25:00PM -0800, Randy Bush wrote:
> >> amazon is about as stupid about networking as the moslem world is
> >> about the current us government.  if they're doing something,
> >> there's a reason.  we can try to understand how this might not work
[..]
> vendor bug, as guessed in the part of my reply you omitted.  
> been known for a while.  being worked.  there is hope.

Thanks.  I take back my comments about cluelessness and apologize.

(It's just so frustrating to talk to firewall admins day after day, and
the thing they are all insisting on is that "ICMP IS EVIL"...)

gert
-- 
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list