JUNOS ping utility and fragmented ICMP "echo request" probes

m4rtin · October 2011

Let's say I have a following setup:

Cisco891[Gi0] <- L2 last-mile provider -> [ae0.199]M10i

Both Gi0 and ae0.199 have MTU 1500 bytes. Cisco 891 has 10.10.10.2 configured to it's Gi0 and M10i has 10.10.10.1 on it's ae0.199.

If I execute "ping 10.10.10.2 size 1473 count 1"(or larger packet size) in M10i and tcpdump traffic, I can see following:

00:14:51.326107 Out 0:19:e2:8c:8b:f0 > c8:9c:1d:33:f8:d4, ethertype  802.1Q (0x8100), length 68: vlan 199, p 0, ethertype IPv4, truncated-ip -  1450 bytes missing! 10.10.10.1 > 10.10.10.2: ICMP echo request, id  57716, seq 0, length 1480
00:14:51.326151 Out 0:19:e2:8c:8b:f0 >  c8:9c:1d:33:f8:d4, ethertype 802.1Q (0x8100), length 39: vlan 199, p 0,  ethertype IPv4, 10.10.10.1 > 10.10.10.2: icmp
00:14:51.345959  In PFE proto 2 (ipv4): 10.10.10.2 > 10.10.10.1: ICMP echo reply, id 57716, seq 0, length 1480

In other words ICMP "echo request" probe gets fragmented(first part is sent out at 00:14:51.326107 and the second part is sent out at 00:14:51.326151). In addition, there is a reply from Cisco 891 received at 00:14:51.345959.

Why isn't this ICMP "echo reply" message accepted by ping utility? I mean ping utility in Juniper shows that the ICMP "echo request" did not get "echo reply" back: 1 packets transmitted, 0 packets received, 100% packet loss. How does ping utility know that the reply he got was incomplete?

Aldur · October 2011

I could be way off here, this is a difficult one to answer, but I think this might have something to do with protecting the RE. Any fragmented PING packets are high suspect is malicious. Or it could be that the cisco device is not replying properly to the fragmented PING packets.

Can you test packet fragmentation with something else besides PING packets? Is there any tunneling protocols involved, GRE, IPSEC?

m4rtin · October 2011

Aldur wrote: »

I could be way off here, this is a difficult one to answer, but I think this might have something to do with protecting the RE. Any fragmented PING packets are high suspect is malicious. Or it could be that the cisco device is not replying properly to the fragmented PING packets.

Can you test packet fragmentation with something else besides PING packets? Is there any tunneling protocols involved, GRE, IPSEC?

You were correct- it was caused by Juniper firewall filter

I played a little with filters protecting the routing engine and came up with this:

root> show configuration interfaces lo0               
unit 0 {
    family inet {
        filter {
            input-list [ RE-protect accept ];
        }
    }
}

root> show configuration firewall          
filter RE-protect {
    term icmp {
        from {
            protocol icmp;
            icmp-type-except [ echo-request echo-reply unreachable time-exceeded source-quench ];
        }
        then {
            count manage-discard-icmp;
            discard;
        }
    }
}
filter accept {
    term accept {
        then accept;
    }
}

root>

Should such filter allow fragmented ICMP packets or not?

Ahriakin · October 2011

Do you have a screen applied to the Zones involved (Security or functional which is implied from your filtering of lo0), do you have the ICMP Fragment and/or Large options set? Both will block this traffic I think.

Edit: Duh, presuming SRX but guessing from your naming convention it may not be...oh well

m4rtin · October 2011

Ahriakin wrote: »

Do you have a screen applied to the Zones involved (Security or functional which is implied from your filtering of lo0), do you have the ICMP Fragment and/or Large options set? Both will block this traffic I think.

Edit: Duh, presuming SRX but guessing from your naming convention it may not be...oh well

yes, it's an Olive machine

However, any other suggestions?

JUNOS ping utility and fragmented ICMP "echo request" probes

Comments