From owner-freebsd-net@FreeBSD.ORG Tue Feb 18 06:24:02 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 232276D for ; Tue, 18 Feb 2014 06:24:02 +0000 (UTC) Received: from dark.beer.net (dark.beer.net [204.145.225.20]) by mx1.freebsd.org (Postfix) with ESMTP id E4CCE11B0 for ; Tue, 18 Feb 2014 06:24:01 +0000 (UTC) Received: from dark.beer.net (glasgow@localhost [127.0.0.1]) by dark.beer.net (8.13.8/8.13.8) with ESMTP id s1I6Ddf0020354 for ; Tue, 18 Feb 2014 00:13:40 -0600 (CST) Received: (from glasgow@localhost) by dark.beer.net (8.13.8/8.13.8/Submit) id s1I6DdhS020353 for freebsd-net@freebsd.org; Tue, 18 Feb 2014 00:13:39 -0600 (CST) From: Michael Glasgow Message-Id: <201402180613.s1I6DdhS020353@dark.beer.net> Subject: ipsec foils traceroute on gre/gif To: freebsd-net@freebsd.org Date: Tue, 18 Feb 2014 00:13:39 -0600 (CST) X-Mailer: ELM [version 2.4ME+ PL54 (25)] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Feb 2014 06:24:02 -0000 I noticed traceroute misses a hop when crossing an encrypted gif or gre tunnel, e.g.: $ sudo traceroute -I 172.29.0.5 traceroute to 172.29.0.5 (172.29.0.5), 30 hops max, 60 byte packets 1 169.254.249.21 (169.254.249.21) 0.524 ms 0.728 ms 0.726 ms 2 169.254.249.25 (169.254.249.25) 1.143 ms 1.160 ms 1.156 ms 3 * * * 4 172.29.0.5 (172.29.0.5) 241.931 ms 247.545 ms 252.398 ms Firewalls are all completely disabled in the above example. It appears the TTL-exceeded ICMP isn't properly generated. Poking through the archives, I found this old thread with a lot of info: http://lists.freebsd.org/pipermail/freebsd-net/2008-November/019928.html But alas, the final word on whether the recommended fix had any untoward security ramifications was not forthcoming. Anyone have an interest in resurrecting this? -- Michael Glasgow