Date: Wed, 21 Jul 2004 14:14:10 -0400 From: James <james@towardex.com> To: Petri Helenius <pete@he.iki.fi> Cc: James <haesu@towardex.com> Subject: Re: IPFW2 versrcreach update Message-ID: <20040721181410.GA5511@scylla.towardex.com> In-Reply-To: <40FEADC1.8070400@he.iki.fi> References: <20040720021237.GA74977@scylla.towardex.com> <40FCD21B.40CB83ED@freebsd.org> <20040721020418.GA53214@scylla.towardex.com> <40FE4367.AA7B0A7F@freebsd.org> <20040721114455.GA47249@scylla.towardex.com> <40FEADC1.8070400@he.iki.fi>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Where would the ICMP go anyway because you either don?t have a route to > where you would point the packet to or the route points to null. Under uRPF drop condition, ICMP should not happen b/c the source of the route is null route. Under normal, non-uRPF drop condition, ICMP unreachable will go to the *source* who is _not_ part of the null route. For example: If you are host 10.10.10.2 behind a router 10.10.10.1, and you run traceroute to 3.3.3.3 and if your router does not have a route for 3.3.3.3 (not even default route), the router will generate !N/!H icmp message back to the source, that being 10.10.10.2, and that being you. If you are host 10.10.10.2, and you spoof your IP address to 1.1.1.1, and the router runs loose-check uRPF and has 1.1.1.1 as RTF_REJECT, the router will obviously cannot generate ICMP back at you, b/c you are claiming to be 1.1.1.1 which is routed to null. -J -- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040721181410.GA5511>