Date: Tue, 18 Feb 2014 00:13:39 -0600 (CST) From: Michael Glasgow <glasgow@beer.net> To: freebsd-net@freebsd.org Subject: ipsec foils traceroute on gre/gif Message-ID: <201402180613.s1I6DdhS020353@dark.beer.net>
next in thread | raw e-mail | index | archive | help
I noticed traceroute misses a hop when crossing an encrypted gif or gre tunnel, e.g.: $ sudo traceroute -I 172.29.0.5 traceroute to 172.29.0.5 (172.29.0.5), 30 hops max, 60 byte packets 1 169.254.249.21 (169.254.249.21) 0.524 ms 0.728 ms 0.726 ms 2 169.254.249.25 (169.254.249.25) 1.143 ms 1.160 ms 1.156 ms 3 * * * 4 172.29.0.5 (172.29.0.5) 241.931 ms 247.545 ms 252.398 ms Firewalls are all completely disabled in the above example. It appears the TTL-exceeded ICMP isn't properly generated. Poking through the archives, I found this old thread with a lot of info: http://lists.freebsd.org/pipermail/freebsd-net/2008-November/019928.html But alas, the final word on whether the recommended fix had any untoward security ramifications was not forthcoming. Anyone have an interest in resurrecting this? -- Michael Glasgow <glasgow@beer.net>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402180613.s1I6DdhS020353>