RES: [c-nsp] Hiding a Cisco Router from a Traceroute

Thu Oct 20 21:45:30 EDT 2005

This will NOT stop a Cisco router from generating a ICMP TTL expire if  
it is merely in the path of a traceroute.  It will only stop it if it  
is the destination of a traceroute on a protocol it is not normally  
listening too.  There is a big difference...

David

On Oct 20, 2005, at 11:19 AM, Murilo Antonio Pugliese wrote:

>
> Before trying to deploy MPLS in your hole backbone just to make use of
> the "no tag-switching ip propagate-ttl forwarded" command try the
>
>
> 	ip unreachables 	To enable the generation of Internet Control Message  
> Protocol (ICMP) unreachable messages,
> 				use the ip unreachables command in interface configuration mode.  
> To disable this function,
> 				use the no form of this command.
>
> 				ip unreachables 	
> 				no ip unreachables
>
> 	Syntax Description 	This command has no arguments or keywords.
> 	Defaults 		Enabled
> 	Usage Guidelines 	If the Cisco IOS software receives a nonbroadcast  
> packet destined for itself that uses a protocol
> 				it does not recognize, it sends an ICMP unreachable message to the  
> source.
> 				If the software receives a datagram that it cannot deliver to its  
> ultimate destination because it knows of
> 				no route to the destination address, it replies to the originator  
> of that datagram with an ICMP host
> 				unreachable message. This command affects all types of ICMP  
> unreachable messages.
>
> 	 
> ----------------------------------------------------------------------- 
> ----------------------------------------------------------------------- 
> ------------------
>
> 	The Traceroute Command
> 	http://www.cisco.com/warp/public/63/ping_traceroute.html#traceroute
>
> 	The traceroute command is used to discover the routes that packets  
> actually take when traveling to their destination.
> 	The device (for example, a router or a PC) sends out a sequence of  
> User Datagram Protocol (UDP) datagrams to an
> 	invalid port address at the remote host.
>
> 	Three datagrams are sent, each with a Time-To-Live (TTL) field value  
> set to one. The TTL value of 1 causes the datagram
> 	to "timeout" as soon as it hits the first router in the path; this  
> router then responds with an ICMP Time Exceeded Message (TEM)
> 	indicating that the datagram has expired.
>
> 	Another three UDP messages are now sent, each with the TTL value set  
> to 2, which causes the second router to return ICMP TEMs.
> 	This process continues until the packets actually reach the other  
> destination.
>
> 	"Since these datagrams are trying to access an invalid port at the  
> destination host, ICMP Port Unreachable Messages are returned,
> 	indicating an unreachable port; this event signals the Traceroute  
> program that it is finished.
> 	 
> ----------------------------------------------------------------------- 
> ----------------------------------------------------------------------- 
> ------------------
>
>
> Best regards.
>
> Murilo Pugliese.
>
>
> -----Mensagem original-----
> De: Saku Ytti [mailto:saku+cisco-nsp at ytti.fi]
> Enviada em: quinta-feira, 20 de outubro de 2005 15:10
> Para: cisco-nsp at puck.nether.net
> Assunto: Re: [c-nsp] Hiding a Cisco Router from a Traceroute
>
>
> On (2005-10-20 18:47 +0200), Gordon Bezzina wrote:
>
>> I do not know if this is possible with an ACL, but I would like to  
>> hide my
>> network topology from the internet.
>
>  With ACL people doing traceroute will notice that there is node there,
> but they will not know it's IP.
>  With MPLS you can hide all your core routers (routers that only
> have your routers as adjacent routers).
>
>> Eg. trace to c.c.c.c
>>
>> 1 a.a.a.a
>> 2 b.b.b.b
>> 3 c.c.c.c
>>
>> Assume that c.c.c.c is final client whilst b.b.b.b is my border  
>> router and
>> a.a.a.a and before is from the Internet. Now I want to set up an ACL  
>> that
>> hides from b onwards. Excuse my ignorance, but I cannot find a clean  
>> way to
>> do it. Obviously, I still want my client to be able to perform pings  
>> and
>> tracroutes to the external world.
>>
>> Thanks/Regards
>> Gordon Bezzina
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> -- 
>   ++ytti
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>