From owner-freebsd-net@FreeBSD.ORG  Tue Feb 18 06:24:02 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 232276D
 for <freebsd-net@freebsd.org>; Tue, 18 Feb 2014 06:24:02 +0000 (UTC)
Received: from dark.beer.net (dark.beer.net [204.145.225.20])
 by mx1.freebsd.org (Postfix) with ESMTP id E4CCE11B0
 for <freebsd-net@freebsd.org>; Tue, 18 Feb 2014 06:24:01 +0000 (UTC)
Received: from dark.beer.net (glasgow@localhost [127.0.0.1])
 by dark.beer.net (8.13.8/8.13.8) with ESMTP id s1I6Ddf0020354
 for <freebsd-net@freebsd.org>; Tue, 18 Feb 2014 00:13:40 -0600 (CST)
Received: (from glasgow@localhost)
 by dark.beer.net (8.13.8/8.13.8/Submit) id s1I6DdhS020353
 for freebsd-net@freebsd.org; Tue, 18 Feb 2014 00:13:39 -0600 (CST)
From: Michael Glasgow <glasgow@beer.net>
Message-Id: <201402180613.s1I6DdhS020353@dark.beer.net>
Subject: ipsec foils traceroute on gre/gif
To: freebsd-net@freebsd.org
Date: Tue, 18 Feb 2014 00:13:39 -0600 (CST)
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2014 06:24:02 -0000

I noticed traceroute misses a hop when crossing an encrypted gif
or gre tunnel, e.g.:

$ sudo traceroute -I 172.29.0.5
traceroute to 172.29.0.5 (172.29.0.5), 30 hops max, 60 byte packets
 1  169.254.249.21 (169.254.249.21)  0.524 ms  0.728 ms  0.726 ms
 2  169.254.249.25 (169.254.249.25)  1.143 ms  1.160 ms  1.156 ms
 3  * * *
 4  172.29.0.5 (172.29.0.5)  241.931 ms  247.545 ms  252.398 ms

Firewalls are all completely disabled in the above example.  It
appears the TTL-exceeded ICMP isn't properly generated.  Poking
through the archives, I found this old thread with a lot of info:

http://lists.freebsd.org/pipermail/freebsd-net/2008-November/019928.html

But alas, the final word on whether the recommended fix had any
untoward security ramifications was not forthcoming.  Anyone have
an interest in resurrecting this?

-- 
Michael Glasgow <glasgow@beer.net>