Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 Jul 2004 14:17:45 -0400
From:      James <james@towardex.com>
To:        Petri Helenius <pete@he.iki.fi>
Cc:        freebsd-net@freebsd.org
Subject:   Re: IPFW2 versrcreach update
Message-ID:  <20040721181745.GB5511@scylla.towardex.com>
In-Reply-To: <20040721181410.GA5511@scylla.towardex.com>
References:  <20040720021237.GA74977@scylla.towardex.com> <40FCD21B.40CB83ED@freebsd.org> <20040721020418.GA53214@scylla.towardex.com> <40FE4367.AA7B0A7F@freebsd.org> <20040721114455.GA47249@scylla.towardex.com> <40FEADC1.8070400@he.iki.fi> <20040721181410.GA5511@scylla.towardex.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Wed, Jul 21, 2004 at 02:14:10PM -0400, James wrote:
> > >
> > Where would the ICMP go anyway because you either don?t have a route to 
> > where you would point the packet to or the route points to null.
> 

Hmm.. Soemthing tells me that whatever I said below is exactly same to whatever
you said.. :) doh

Sorry for useless reply :)

-J

> Under uRPF drop condition, ICMP should not happen b/c the source of the route
> is null route.
> 
> Under normal, non-uRPF drop condition, ICMP unreachable will go to the *source*
> who is _not_ part of the null route.
> 
> For example: If you are host 10.10.10.2 behind a router 10.10.10.1, and you
> run traceroute to 3.3.3.3 and if your router does not have a route for 3.3.3.3
> (not even default route), the router will generate !N/!H icmp message back to
> the source, that being 10.10.10.2, and that being you.
> 
> If you are host 10.10.10.2, and you spoof your IP address to 1.1.1.1, and the
> router runs loose-check uRPF and has 1.1.1.1 as RTF_REJECT, the router will
> obviously cannot generate ICMP back at you, b/c you are claiming to be
> 1.1.1.1 which is routed to null.
> 
> -J
> 
> -- 
> James Jun                                            TowardEX Technologies, Inc.
> Technical Lead                        Network Design, Consulting, IT Outsourcing
> james@towardex.com                  Boston-based Colocation & Bandwidth Services
> cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net

-- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james@towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040721181745.GB5511>