JUNOS ping utility and fragmented ICMP "echo request" probes

m4rtinm4rtin Member Posts: 170
Let's say I have a following setup:
Cisco891[Gi0] <- L2 last-mile provider -> [ae0.199]M10i

Both Gi0 and ae0.199 have MTU 1500 bytes. Cisco 891 has 10.10.10.2 configured to it's Gi0 and M10i has 10.10.10.1 on it's ae0.199.

If I execute "ping 10.10.10.2 size 1473 count 1"(or larger packet size) in M10i and tcpdump traffic, I can see following:
00:14:51.326107 Out 0:19:e2:8c:8b:f0 > c8:9c:1d:33:f8:d4, ethertype  802.1Q (0x8100), length 68: vlan 199, p 0, ethertype IPv4, truncated-ip -  1450 bytes missing! 10.10.10.1 > 10.10.10.2: ICMP echo request, id  57716, seq 0, length 1480
00:14:51.326151 Out 0:19:e2:8c:8b:f0 >  c8:9c:1d:33:f8:d4, ethertype 802.1Q (0x8100), length 39: vlan 199, p 0,  ethertype IPv4, 10.10.10.1 > 10.10.10.2: icmp
00:14:51.345959  In PFE proto 2 (ipv4): 10.10.10.2 > 10.10.10.1: ICMP echo reply, id 57716, seq 0, length 1480

In other words ICMP "echo request" probe gets fragmented(first part is sent out at 00:14:51.326107 and the second part is sent out at 00:14:51.326151). In addition, there is a reply from Cisco 891 received at 00:14:51.345959.

Why isn't this ICMP "echo reply" message accepted by ping utility? I mean ping utility in Juniper shows that the ICMP "echo request" did not get "echo reply" back: 1 packets transmitted, 0 packets received, 100% packet loss. How does ping utility know that the reply he got was incomplete? icon_rolleyes.gif

Comments

  • AldurAldur Juniper Moderator Member Posts: 1,460
    I could be way off here, this is a difficult one to answer, but I think this might have something to do with protecting the RE. Any fragmented PING packets are high suspect is malicious. Or it could be that the cisco device is not replying properly to the fragmented PING packets.

    Can you test packet fragmentation with something else besides PING packets? Is there any tunneling protocols involved, GRE, IPSEC?
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • m4rtinm4rtin Member Posts: 170
    Aldur wrote: »
    I could be way off here, this is a difficult one to answer, but I think this might have something to do with protecting the RE. Any fragmented PING packets are high suspect is malicious. Or it could be that the cisco device is not replying properly to the fragmented PING packets.

    Can you test packet fragmentation with something else besides PING packets? Is there any tunneling protocols involved, GRE, IPSEC?

    You were correct- it was caused by Juniper firewall filter :) I played a little with filters protecting the routing engine and came up with this:
    root> show configuration interfaces lo0               
    unit 0 {
        family inet {
            filter {
                input-list [ RE-protect accept ];
            }
        }
    }
    
    root> show configuration firewall          
    filter RE-protect {
        term icmp {
            from {
                protocol icmp;
                icmp-type-except [ echo-request echo-reply unreachable time-exceeded source-quench ];
            }
            then {
                count manage-discard-icmp;
                discard;
            }
        }
    }
    filter accept {
        term accept {
            then accept;
        }
    }
    
    root> 
    
    

    Should such filter allow fragmented ICMP packets or not? icon_rolleyes.gif
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    Do you have a screen applied to the Zones involved (Security or functional which is implied from your filtering of lo0), do you have the ICMP Fragment and/or Large options set? Both will block this traffic I think.

    Edit: Duh, presuming SRX but guessing from your naming convention it may not be...oh well :)
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • m4rtinm4rtin Member Posts: 170
    Ahriakin wrote: »
    Do you have a screen applied to the Zones involved (Security or functional which is implied from your filtering of lo0), do you have the ICMP Fragment and/or Large options set? Both will block this traffic I think.

    Edit: Duh, presuming SRX but guessing from your naming convention it may not be...oh well :)

    yes, it's an Olive machine :) However, any other suggestions?
Sign In or Register to comment.