[c-nsp] CBAC not properly handling fragmentation?

Marc Haber mh+cisco-nsp at zugschlus.de
Sat Jan 28 09:43:36 EST 2006 

Hi,

On Sat, Jan 28, 2006 at 03:17:04PM +0100, Michael Markstaller wrote:
> MTU should be indeed at least 1456 whatever provider (PPPoE-account)
> you use, but you've set MSS to 1452. MSS should be at most 1456 (MTU)
> - 20 (TCP-header).

Hm. Now that you mention it. But shouldn't that be 40?

> You mention IPSec, this tends to make things worse - at least one of
> the routers tends to have a fancy "no icmp type 3 code 4" bug..

The issue I have reported do happen over unencrypted connections.

Additionally, the test setup doesn't have any firewalls besides the
CBAC code involved, so PMTU should work. Or could that be blamed on
the broken icmp inspection?

> Now, the other stuff in your config looks like SDM, which at least in
> my opinion, creates nothing else than weird crap;

I agree, but the owner of the router likes SDM and will continue to
use it. There is nothing I can do about this.

> Start with something like that (and enable only the protocols you really need inspection for):
> --- cut ---
> ip inspect name DEFAULT101 udp
> ip inspect name DEFAULT101 tcp
> ip inspect name DEFAULT101 ftp
> 
> no access-list 101 
> no access-list 104
> access-list 104 remark *** IKE/ESP allowed
> access-list 104 permit esp any any
> access-list 104 permit udp any any eq isakmp
> access-list 104 permit udp any any eq non500-isakmp
> access-list 104 remark *** ICMP-subset allowed
> access-list 104 permit icmp any any echo
> access-list 104 permit icmp any any echo-reply
> access-list 104 permit icmp any any unreachable
> access-list 104 permit icmp any any time-exceeded
> access-list 104 permit icmp any any ttl-exceeded
> access-list 104 permit icmp any any packet-too-big
> access-list 104 remark *** NTP-Response from Time-servers
> access-list 104 permit udp host 192.53.103.103 eq ntp any eq ntp
> access-list 104 deny ip any any log
> ! inbound private 192.168 -> 192.168.x.x via ipsec is not being looked at on the inbound interface ACL since 12.3T-something)
> 
> access-list 101 permit 192.168.0.0 0.0.0.255 any
> 
> int Vlan1
> ip access 101 in 
> no ip inspect DEFAULT101 in
> ip tcp adjust mss 1350
> 
> int Di0
> ip access 104 in
> ip inspect DEFAULT101 out 
> --- cut ---
> 
> Other things to mention:
> - disable icmp inspection and let unreachable from the outside through, icmp inspection is broken, broken, and broken again in most images..

Thanks, that is an important hint.

Unreachables from the outside shouldn't play any role in the given
setup since we're transferring large data amounts _in_, so the
unreachables should be created by the ISP (which doesn't happen), and
they should be going _out_ not coming in.

> Now, I'd be very interesed in another question ;)
> You have a symmetric T-DSL running on a 1803 without a modem in
> front, right ?

I have never seen the installation on site, and I have never done
Dialup on Cisco, but if "pppoe-client dial-pool-number 1" on interface
ATM0.2 means that the PPPoE session initiated by Dialer 0 which is in
dialer pool 1 goes out over the ATM interface, the 1803's modem is in
use.

> I'd really appreciate a "sh dsl int", if possible with training log enabled.

I won't be able to access the box before Monday, and show tech doesn't
seem to include the output if show dsl int. What I have is "show
diag", which is:

Slot 0:
        C1803 1FE G.SHDSL Mainboard Port adapter, 11 ports
        Port adapter is analyzed
        Port adapter insertion time unknown
        EEPROM contents at hardware discovery:
        Base MAC Address         : 0013.8005.047a
        PCB Serial Number        : FOC091119P0
        Hardware Revision        : 3.0
        Processor type           : 93
        Part Number              : 73-9168-03
        Board Revision           : A0
        Deviation Number         : 0
        Fab Version              : 03
        RMA Test History         : 00
        RMA Number               : 0-0-0-0
        RMA History              : 00
        MAC Address block size   : 18
        Chassis Serial Number    : FHK092821JM
        Product (FRU) Number     : CISCO1803/K9
        Version Identifier       : V01
        Radio Country Code       : 0000
        Top Assy. Part Number    : 800-24323-01
        CLEI Code                : COMRU00BRA
        EEPROM format version 4
        EEPROM contents (hex):
<snipped>

How do I enable training log?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the cisco-nsp mailing list