[c-nsp] Hiding a Cisco Router from a Traceroute

Kristofer Sigurdsson kristo at ipf.is
Mon Oct 24 11:30:23 EDT 2005


On Mon, 2005-10-24 at 16:24 +0100, Robert Kiessling wrote:
> Kristofer Sigurdsson wrote:
> > If you use addresses for your router interfaces that cannot be reached
> > from the general user [...] you will break MTU path discovery,
> 
> That's an argument frequently heard, but nontheless invalid.
> All pMTUd needs is that the ICMP response from the router goes
> back to the user. The other direction, whether the user can
> reach the router, is irrelevant for that purpose.

This was an "ooops" on my part - that should have read "that cannot 
reach the user".  If you use RFC1918 addresses on your router
interfaces, this will be the case.

If you block ICMP to your users, however, they will not receive
fragmentation requests.

> 
> > thereby making your users
> > unable to reach a significant part of the Internet, and possibly a large
> > number of users will be unable to reach your services (eg. www).
> 
> That's only true on a link with an MTU smaller than the packets
> that should be sent over it.
> 
> In practice that means links with 1500 MTU never cause "fragmentation
> needed" since packets will always traverse a network segment with an
> MTU of 1500 or smaller before entering your backbone.

This is also true, but the thing is, a lot of connections "out there"
have an MTU under 1500, eg. various tunnels.

> 
> It typically causes issues (only) on DSL links, but I don't think
> that's what the previous poster was asking about. And what I suggest
> does not break pMTUd in any case.

DSL links are getting quite common. ;)

-- 
Kristófer Sigurðsson           Tel: +354 414 1600
Netrekstur/Network Operations  IP Fjarskipti ehf.



More information about the cisco-nsp mailing list