[j-nsp] "ping: sendto: Operation not permitted" in LAN

Stefan Fouant sfouant at shortestpathfirst.net
Fri Aug 19 09:50:04 EDT 2011


Hi Saku,

'tcp-established' or any of the other TCP bit-field match conditions do assume an implied TCP, but they aren't actually checking to see if the protocol is actually TCP.  Therefore, they are simply looking for a bit to be on or off at a specific offset where those fields would be if the packet was actually TCP.

What this means is that if the packet is anything other than TCP, and a protocol match type of TCP is not specified, other packets may match if the bit is set at that particular offset.

This isn't really an "inconsistency" as you say and there are no real useful applications here... This is why the Juniper documentation and other literature is explicit to point out that you should always use a 'protocol tcp' match when using these bit-field conditions...

HTHs.

Stefan Fouant
JNCIE-M, JNCIE-ER, JNCIE-SEC, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant

Sent from my iPad

On Aug 19, 2011, at 4:29 AM, Saku Ytti <saku at ytti.fi> wrote:

> On (2011-08-18 21:23 -0400), Stefan Fouant wrote:
> 
>> Trio has nothing to do with this - the behavior when matching on a
>> port is completely different than using the bit-field match
>> operators.  Even without Trio, if you specify a match on a port
>> without protocol, it will look in the appropriate locations
>> depending on whether the traffic is TCP or UDP.  That is not the
>> case with bit-field match operators.
>> 
>> See http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policy-firewall-filter-how-to-specify-match-conditions.html#jd0e29000
> 
> Thanks for clearing that up. However if 'port' assumes implied udp/tcp (instead
> of just finding port values in predefined offset, regardless of protocol) why
> doesn't 'tcp-established' assume implied tcp? Is there any useful application
> behind this inconsistency?
> 
> Also do you have access internally to information which you are able to share,
> when would JunOS CLI get 'match protocol udp|tcp|icmp' for ipv6? So users
> could, in existance of extension headers still match for L4 protocol?
> 
> Thanks again,
> -- 
>  ++ytti
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list