Mossburg, Geoff (MAN-Corporate) wrote: > > Out of curiosity, how would this affect traceroutes using UDP > instead of > TCP?
I don't think you meant to say TCP. There are two varieties of traceroute, however, one that sends ICMP Echos (pings) and one that sends UDP packets. But they both manipulate the IP TTL field and that's what matters. The upper layer data isn't really relevant, except for the last hop to an end station. If you use UDP, the end station sends a Port Unreachable message. If you use ping, the end station responds with a ping reply. Both methods make use of the IP TTL and learn about routers in the path because the routers decrement the TTL. If a router decrements the TTL to zero, it sends back an ICMP TTL Exceeded message. That message is what allows traceroute to know about the existance of each router. If you want to hide your existance, you need to avoid sending that message. If your core is MPLS-based (or a tunnel like I mentioned), then the routers won't send the message. ACLs can also filter the message. _______________________________ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com > Thanks! > Geoff Mossburg > > -----Original Message----- > From: Peter van Oene [mailto:pvo@;usermail.com] > Sent: Wednesday, November 13, 2002 4:34 PM > To: [EMAIL PROTECTED] > Subject: Re: Hide traceroute [7:57343] > > > On Wed, 2002-11-13 at 05:08, ciscoGo2002 wrote: > > Hello friends, > > > > Suppose that I have a ISP and I would like to hide my > > internal addresses to the external customers. I would > > like to do it without using a firewall and without > > acl's.... Is there any way to do this? Can I disable > > TTL's processing in Cisco routers? > > This is usually done with MPLS based cores. Essentially, the > IP TTL is > not modified at egress to relfect the number of MPLS "hops" > within the > network which essentially makes the entire MPLS cloud look like > one > hop. However, the MPLS TTL is still used with the cloud for > loop > mitigation. > > Turning off TTL decrementing would remove the loop mitigation > capability > in IP which would result in packets looping endlessly which > really isn't > a good thing, and certainly not worth the tradeoff gained by > hiding ones > topology ;-) > > Pete > > > > > Thanks! > > > > > > > _______________________________________________________________ > > Yahoo! Messenger > > Nueva versisn: Webcam, voz, y mucho mas !Gratis! > > Descargalo ya desde http://messenger.yahoo.es > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57405&t=57343 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
