From owner-freebsd-net@FreeBSD.ORG  Wed Jul 21 18:14:10 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id AACE016A4CE; Wed, 21 Jul 2004 18:14:10 +0000 (GMT)
Received: from mx01.bos.ma.towardex.com (mx01.bos.ma.towardex.com
	[65.124.16.9])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8550143D41; Wed, 21 Jul 2004 18:14:10 +0000 (GMT)
	(envelope-from haesu@mx01.bos.ma.towardex.com)
Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid
	1001)	id 1D2EB2F919; Wed, 21 Jul 2004 14:14:10 -0400 (EDT)
Date: Wed, 21 Jul 2004 14:14:10 -0400
From: James <james@towardex.com>
To: Petri Helenius <pete@he.iki.fi>
Message-ID: <20040721181410.GA5511@scylla.towardex.com>
References: <20040720021237.GA74977@scylla.towardex.com>
	<40FCD21B.40CB83ED@freebsd.org> <20040721020418.GA53214@scylla.towardex.com>
	<40FE4367.AA7B0A7F@freebsd.org> <20040721114455.GA47249@scylla.towardex.com>
	<40FEADC1.8070400@he.iki.fi>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <40FEADC1.8070400@he.iki.fi>
User-Agent: Mutt/1.4.1i
cc: freebsd-net@freebsd.org
cc: Andre Oppermann <andre@freebsd.org>
cc: James <haesu@towardex.com>
Subject: Re: IPFW2 versrcreach update
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2004 18:14:10 -0000

> >
> Where would the ICMP go anyway because you either don?t have a route to 
> where you would point the packet to or the route points to null.

Under uRPF drop condition, ICMP should not happen b/c the source of the route
is null route.

Under normal, non-uRPF drop condition, ICMP unreachable will go to the *source*
who is _not_ part of the null route.

For example: If you are host 10.10.10.2 behind a router 10.10.10.1, and you
run traceroute to 3.3.3.3 and if your router does not have a route for 3.3.3.3
(not even default route), the router will generate !N/!H icmp message back to
the source, that being 10.10.10.2, and that being you.

If you are host 10.10.10.2, and you spoof your IP address to 1.1.1.1, and the
router runs loose-check uRPF and has 1.1.1.1 as RTF_REJECT, the router will
obviously cannot generate ICMP back at you, b/c you are claiming to be
1.1.1.1 which is routed to null.

-J

-- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james@towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net