ipsec foils traceroute on gre/gif
Michael Glasgow
glasgow at beer.net
Tue Feb 18 06:24:02 UTC 2014
I noticed traceroute misses a hop when crossing an encrypted gif
or gre tunnel, e.g.:
$ sudo traceroute -I 172.29.0.5
traceroute to 172.29.0.5 (172.29.0.5), 30 hops max, 60 byte packets
1 169.254.249.21 (169.254.249.21) 0.524 ms 0.728 ms 0.726 ms
2 169.254.249.25 (169.254.249.25) 1.143 ms 1.160 ms 1.156 ms
3 * * *
4 172.29.0.5 (172.29.0.5) 241.931 ms 247.545 ms 252.398 ms
Firewalls are all completely disabled in the above example. It
appears the TTL-exceeded ICMP isn't properly generated. Poking
through the archives, I found this old thread with a lot of info:
http://lists.freebsd.org/pipermail/freebsd-net/2008-November/019928.html
But alas, the final word on whether the recommended fix had any
untoward security ramifications was not forthcoming. Anyone have
an interest in resurrecting this?
--
Michael Glasgow <glasgow at beer.net>
More information about the freebsd-net
mailing list