[j-nsp] Identifying pfe icmp throttled traffic

Jeff S Wheeler jsw at inconcepts.biz
Sun Mar 8 20:47:19 EDT 2009 

On Sun, 2009-03-08 at 19:10 -0500, Richard A Steenbergen wrote:
> This is on a MX960. I had actually tried matching ttl [ 0 1 ] in
> firewall on border interfaces before as a way to limit traceroutes, but
> it had some unexpected impact to regularly forwarded traffic when
> policed which we never fully explain so I had turned it off. Is there 
> anything different about time-exceeded-bit than the ttl math I just 
> mentioned? Is this supported on platforms which can't firewall match on 
> ttl or something like that?
When I read this thread I was curious about this, too.  I checked on M7i
and EX4200, which is my favorite box, as you know.

I think the M7i is matching punts to the exception processor which cause
the TTL Exceeded packets to be generated.  So it probably does do what
you want.

On the 4200, the information available is limited but it is definitely
not simply matching ttl 0-1, as you can see below.  That platform does
(theoretically) have the ability to match on ttl.  Whether or not this
works in practice, I don't know. ;)

// M7i

# show filter foo 
term test {
    from {
        time-exceeded-bit;
    }
}

# show filter index 7 program
Program Filters:
---------------
Index     Dir     Cnt    Text     Bss  Name
-----  ------  ------  ------  ------  --------
    7      52       0      16       0  foo

Firewall program version 2 magic fed2beef
   Name: "foo"  Protocol: ip
   Implicit Filter: No
   Hash: 6ed350b5dd96126db100d6ea7733870d
   Action directory: 1 entry (52 bytes)
   Text: 4 instruction words (16 bytes)
Action directory: 1 entry (52 bytes)
   0: accept
      -> 2:
Program instructions: 4 words

   0: set notification-flags
      match notification-flags & 0x08 != 0x08 -> 3:
      terminate -> action index 0

   3: terminate -> discard

# show filter bar 
term test {
    from {
        ttl 0-1;
    }
}

# show filter index 5 program
Program Filters:
---------------
Index     Dir     Cnt    Text     Bss  Name
-----  ------  ------  ------  ------  --------
    5      52       0       4       0  bar

Firewall program version 2 magic fed2beef
   Name: "bar"  Protocol: ip
   Implicit Filter: No
   Hash: 000e11211931d9a2ca2c3ef4ea1e756f
   Action directory: 1 entry (52 bytes)
   Text: 1 instruction word (4 bytes)
Action directory: 1 entry (52 bytes)
   0: accept
      -> 0:
Program instructions: 1 word

   0: terminate -> action index 0

//// below is the EX4200

# show filter foo 
term test {
    from {
        time-exceeded-bit;
    }
}

PFEM0(vty)# show filter index 7 program
Filter index = 7
term test
term priority 0
    time-exceeded  
         1 

    then
        accept
term internal-5
term priority 0

    then
        discard

# show filter bar 
term test {
    from {
        ttl 0-1;
    }
}

PFEM0(vty)# show filter index 5 program
Filter index = 5
term test
term priority 0
    ttl  
         0-1 

    then
        accept
term internal-6
term priority 0

    then
        discard

-- 
Jeff S Wheeler <jsw at inconcepts.biz> +1-212-981-0607
Sr Network Operator  /  Innovative Network Concepts

More information about the juniper-nsp mailing list