Re: IP helper address and subnet broadcast [7:25485]
Priscilla Oppenheimer wrote: > Thank-you very much for your research and testing, Ben. > > The person who started this discussion (offline) also wrote back and > confirmed that the subnet broadcasts are indeed forwarded to the address in > his IP helper address command. I agree that it makes sense from the point > of view that the subnet broadcast (10.10.255.255) is no different from an > ordinary broadcast (255.255.255.255) at the MAC layer. They both go to > FF:FF:FF:FF:FF:FF. > > There are concerns about this behavior however. In his case the DHCP server > is the helper address. It is receiving all sorts of junk that it shouldn't > receive, including WINS and BROWSE stuff. The IP Helper Address > configuration is causing these packets to be sent as unicast packets to the > DHCP server. It's probably just a minor performance issue, but worth fixing. > > I don't know enough about his network to recommend this definitely, but he > may be able to configure "no ip forward-protocol 137" and "no ip > forward-protocol 138" to ensure that the WINS and BROWSE stuff is not > forwarded. I believe he has an actual WINS server also that can handle the > WINS service and the nodes are configured as H-Nodes so they are unicasting > to the WINS server in addition to sending their broadcasts. > > I thought this was interesting! I wonder how many people have thought about > how much junk by default gets forwarded with IP helper address. And > offline, some experts asked me why would a router forward a subnet > broadcast, so they all agreed that this was not completely expected behavior. > > Thanks again, > > Priscilla > > At 10:00 AM 11/7/01, R. Benjamin Kessler wrote: > >I setup a remote unix box running nmap and had it send packets to the subnet > >broadcast address (in my case 192.168.72.255). I configured my router with > >an ip helper command (sending to a single host). I executed the nmap > >command with and without IP directed broadcast configured on the router > >interface and didn't see any difference. > > > >Running a sniffer-like device on the target (of the ip helper command) I was > >able to verify the receipt of the packets sent via nmap. > > > >Given a network similar to the following: > > > > +---++---+ > >-| rtr a || rtr b |- > > e0 +---+ e1 e1 +---+ e0 > > > >My understanding of directed-broadcast is that if a packet sourced from rtr > >a's e0 network is sent to the broadcast address of rtr b's e0; rtr b will > >forward it if directed-broadcast is enabled and drop if not. > > > >IP helper impacts packets heading out (from the router) to the interface in > >question not packets inbound. > > > >To take this discussion a step further, the IP helper function processes > >packets sent to the MAC-layer broadcast address for the specified protocols. > >A packet sent to the local IP broadcast address (10.10.255.255 in > >Priscilla's example) will have the same MAC-layer destination address as a > >packet sent to 255.255.255.255. > > > >Comments, questions? Anyone think my logic is all wet? > > > >-Original Message- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > >Priscilla Oppenheimer > >Sent: Tuesday, November 06, 2001 9:43 PM > >To: [EMAIL PROTECTED] > >Subject: Re: IP helper address and subnet broadcast [7:25485] > > > > > >I know how IP helper address, directed broadcasts, NetBIOS, etc. work. > >(NetBIOS session service doesn't broadcast, by the way, and in fact uses > >TCP not UDP, so I doubt that it needs to be added to the list. It's used > >between a client and server after the client has mapped the NetBIOS name to > >the server's address.) > > > >The question is: will the router (with IP helper address) forward if the > >source sends to a subnet broadcast such as 10.10.255.255 instead of sending > >to 255.255.255.255? Nowhere does the documentation say that it won't, so I > >guess it will. > > > >Note that I am not asking about the forwarding of directed broadcasts. The > >IP helper address is configured with an actual server's address, not a > >directed broadcast address. > > > >I'm not looking for the boring answers to the boring questions. The > >question is not the same one that you have seen many times. ;-) > > > >Priscilla > > > > Priscilla Oppenheimer > http://www.priscilla.com Many of the big corporations have been aware of it for some time. When I had to set up DHCP at a certain Silicon Valley giant corporation in 1996, I came across their white paper on setting up DHCP relay via Cisco's ip helper-address, with specific instructions to do a "no ip forward" on UDP 137 and 138. Jonathan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25734&t=25485 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IP helper address and subnet broadcast [7:25485]
I had a similar situation in the past where the DHCP servers were on *nix boxes and they got flooded with the NetBT stuff (from 3000+ workstations) needlessly. In this type of a situation "no ip forward protocol" is your friend. To just foward the DHCP requests you need to do the following: no ip forward-protocol udp tftp no ip forward-protocol udp nameserver no ip forward-protocol udp domain no ip forward-protocol udp time no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm no ip forward-protocol udp tacacs It would be nice if you could disable all and then specifically add the ones you want (i.e. the passive-interface default / no passive-interface method) but - at least on the versions I've tried - she's a no go. You can disable all udp flooding with the command: no ip forward-protocol udp But as soon as you enable a specific service this command gets 'un-done'...perhaps a it can be a feature request for the programmers @ Cisco watching this list (do any?). Hope this helps. Ben -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 07, 2001 2:44 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: IP helper address and subnet broadcast [7:25485] Thank-you very much for your research and testing, Ben. The person who started this discussion (offline) also wrote back and confirmed that the subnet broadcasts are indeed forwarded to the address in his IP helper address command. I agree that it makes sense from the point of view that the subnet broadcast (10.10.255.255) is no different from an ordinary broadcast (255.255.255.255) at the MAC layer. They both go to FF:FF:FF:FF:FF:FF. There are concerns about this behavior however. In his case the DHCP server is the helper address. It is receiving all sorts of junk that it shouldn't receive, including WINS and BROWSE stuff. The IP Helper Address configuration is causing these packets to be sent as unicast packets to the DHCP server. It's probably just a minor performance issue, but worth fixing. I don't know enough about his network to recommend this definitely, but he may be able to configure "no ip forward-protocol 137" and "no ip forward-protocol 138" to ensure that the WINS and BROWSE stuff is not forwarded. I believe he has an actual WINS server also that can handle the WINS service and the nodes are configured as H-Nodes so they are unicasting to the WINS server in addition to sending their broadcasts. I thought this was interesting! I wonder how many people have thought about how much junk by default gets forwarded with IP helper address. And offline, some experts asked me why would a router forward a subnet broadcast, so they all agreed that this was not completely expected behavior. Thanks again, Priscilla At 10:00 AM 11/7/01, R. Benjamin Kessler wrote: >I setup a remote unix box running nmap and had it send packets to the subnet >broadcast address (in my case 192.168.72.255). I configured my router with >an ip helper command (sending to a single host). I executed the nmap >command with and without IP directed broadcast configured on the router >interface and didn't see any difference. > >Running a sniffer-like device on the target (of the ip helper command) I was >able to verify the receipt of the packets sent via nmap. > >Given a network similar to the following: > > +---++---+ >-| rtr a || rtr b |- > e0 +---+ e1 e1 +---+ e0 > >My understanding of directed-broadcast is that if a packet sourced from rtr >a's e0 network is sent to the broadcast address of rtr b's e0; rtr b will >forward it if directed-broadcast is enabled and drop if not. > >IP helper impacts packets heading out (from the router) to the interface in >question not packets inbound. > >To take this discussion a step further, the IP helper function processes >packets sent to the MAC-layer broadcast address for the specified protocols. >A packet sent to the local IP broadcast address (10.10.255.255 in >Priscilla's example) will have the same MAC-layer destination address as a >packet sent to 255.255.255.255. > >Comments, questions? Anyone think my logic is all wet? > >-Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Priscilla Oppenheimer >Sent: Tuesday, November 06, 2001 9:43 PM >To: [EMAIL PROTECTED] >Subject: Re: IP helper address and subnet broadcast [7:25485] > > >I know how IP helper address, directed broadcasts, NetBIOS, etc. work. >(NetBIOS session service doesn't broadcast, by the way, and in fact uses >TCP not UDP, so I doubt that it needs to be added to the list. It's used >between a client and server after the client has mapped the NetBIOS name to >the server'
RE: IP helper address and subnet broadcast [7:25485]
Depends on what you're trying to do...the utility I used here is just "nmap" - see www.insecure.org (note: this is a bit of a "hacking" tool, so use with caution). This is basically a port scanning tool, you can specify a remote subnet to scan but you give it the range of addresses to probe, I don't see why you couldn't probe a remote host that just happened to have the same address as the subnet broadcast somewhere. I guess by definition, if you've got a default gateway configured and are sending traffic to a remote subnet you'll have the local router's MAC address as the destination. If you're looking to do something a bit more elaborate you can try to use a Sniffer to manufacture a string of packets but it is probably more trouble than it's worth. I'm sure that there are plenty of hacker tools that will do this but you'll probably need to go lurking on some different lists to find them... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Logan, Harold Sent: Wednesday, November 07, 2001 2:32 PM To: [EMAIL PROTECTED] Subject: RE: IP helper address and subnet broadcast [7:25485] Interesting... By any chance do you have a packet manipulator available? For added fun you could put together a frame with a destination IP of the subnet's broadcast addy, and a destination MAC of the routers MAC address... > -Original Message- > From: R. Benjamin Kessler [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 07, 2001 2:03 PM > To: [EMAIL PROTECTED] > Subject: RE: IP helper address and subnet broadcast [7:25485] > > > I setup a remote unix box running nmap and had it send > packets to the subnet > broadcast address (in my case 192.168.72.255). I configured > my router with > an ip helper command (sending to a single host). I executed the nmap > command with and without IP directed broadcast configured on > the router > interface and didn't see any difference. > > Running a sniffer-like device on the target (of the ip helper > command) I was > able to verify the receipt of the packets sent via nmap. > > Given a network similar to the following: > > +---++---+ > -| rtr a || rtr b |- > e0 +---+ e1 e1 +---+ e0 > > My understanding of directed-broadcast is that if a packet > sourced from rtr > a's e0 network is sent to the broadcast address of rtr b's > e0; rtr b will > forward it if directed-broadcast is enabled and drop if not. > > IP helper impacts packets heading out (from the router) to > the interface in > question not packets inbound. > > To take this discussion a step further, the IP helper > function processes > packets sent to the MAC-layer broadcast address for the > specified protocols. > A packet sent to the local IP broadcast address (10.10.255.255 in > Priscilla's example) will have the same MAC-layer destination > address as a > packet sent to 255.255.255.255. > > Comments, questions? Anyone think my logic is all wet? > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Priscilla Oppenheimer > Sent: Tuesday, November 06, 2001 9:43 PM > To: [EMAIL PROTECTED] > Subject: Re: IP helper address and subnet broadcast [7:25485] > > > I know how IP helper address, directed broadcasts, NetBIOS, etc. work. > (NetBIOS session service doesn't broadcast, by the way, and > in fact uses > TCP not UDP, so I doubt that it needs to be added to the > list. It's used > between a client and server after the client has mapped the > NetBIOS name to > the server's address.) > > The question is: will the router (with IP helper address) > forward if the > source sends to a subnet broadcast such as 10.10.255.255 > instead of sending > to 255.255.255.255? Nowhere does the documentation say that > it won't, so I > guess it will. > > Note that I am not asking about the forwarding of directed > broadcasts. The > IP helper address is configured with an actual server's address, not a > directed broadcast address. > > I'm not looking for the boring answers to the boring questions. The > question is not the same one that you have seen many times. ;-) > > Priscilla > > At 10:09 PM 11/6/01, Erick B. wrote: > >Priscalla, > > > >They need to enable one more 'ip forward-protocol udp' > >globally for this to work, as well as enable > >directed-broadcast on target router interface where > >ip-helper is forwarding to. > > > >Also, I replied to nrf on this as well in more detail > >just explaining helper-address and > >directed-broadcasts. > > > >
RE: IP helper address and subnet broadcast [7:25485]
The few times I've needed a packet manipulator, SnifferPro has worked fine for me. The idea I was shooting for (please keep in mind that yesterday I was working on 3 hours of sleep and no caffeine) was to put together a layer 3 broadcast with a layer 2 unicast address, specifically the destination MAC of the router's ethernet interface. That, combined with some packet debugging or accounting on the far router, could tell you if the router forwards traffic to the ip helper address because the layer 2 destination addy is all F's, or if it forwards to the ip helper addres because the layer 3 destination address is the subnet's broadcast addy. I suppose if I'm that curious I should get off my arse and set up such a scenario here, but I let someone else label the cables in my pod, and I'm still working on fixing it... right now the classroom where we keep the routers has v.35 and cat5 cables strewn all over the place. Argh. Hal Logan Network Specialist / Adjunct Faculty Computing and Engineering Technology Manatee Community College > -Original Message- > From: R. Benjamin Kessler [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 07, 2001 5:18 PM > To: Logan, Harold; [EMAIL PROTECTED] > Subject: RE: IP helper address and subnet broadcast [7:25485] > > > Depends on what you're trying to do...the utility I used here is just > "nmap" - see www.insecure.org (note: this is a bit of a > "hacking" tool, so > use with caution). > > This is basically a port scanning tool, you can specify a > remote subnet to > scan but you give it the range of addresses to probe, I don't > see why you > couldn't probe a remote host that just happened to have the > same address as > the subnet broadcast somewhere. > > I guess by definition, if you've got a default gateway > configured and are > sending traffic to a remote subnet you'll have the local router's MAC > address as the destination. > > If you're looking to do something a bit more elaborate you > can try to use a > Sniffer to manufacture a string of packets but it is probably > more trouble > than it's worth. I'm sure that there are plenty of hacker > tools that will > do this but you'll probably need to go lurking on some > different lists to > find them... > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Logan, Harold > Sent: Wednesday, November 07, 2001 2:32 PM > To: [EMAIL PROTECTED] > Subject: RE: IP helper address and subnet broadcast [7:25485] > > > Interesting... By any chance do you have a packet manipulator > available? > For added fun you could put together a frame with a destination IP of > the subnet's broadcast addy, and a destination MAC of the routers MAC > address... > > > > -Original Message- > > From: R. Benjamin Kessler [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, November 07, 2001 2:03 PM > > To: [EMAIL PROTECTED] > > Subject: RE: IP helper address and subnet broadcast [7:25485] > > > > > > I setup a remote unix box running nmap and had it send > > packets to the subnet > > broadcast address (in my case 192.168.72.255). I configured > > my router with > > an ip helper command (sending to a single host). I > executed the nmap > > command with and without IP directed broadcast configured on > > the router > > interface and didn't see any difference. > > > > Running a sniffer-like device on the target (of the ip helper > > command) I was > > able to verify the receipt of the packets sent via nmap. > > > > Given a network similar to the following: > > > > +---++---+ > > -| rtr a || rtr b |- > > e0 +---+ e1 e1 +---+ e0 > > > > My understanding of directed-broadcast is that if a packet > > sourced from rtr > > a's e0 network is sent to the broadcast address of rtr b's > > e0; rtr b will > > forward it if directed-broadcast is enabled and drop if not. > > > > IP helper impacts packets heading out (from the router) to > > the interface in > > question not packets inbound. > > > > To take this discussion a step further, the IP helper > > function processes > > packets sent to the MAC-layer broadcast address for the > > specified protocols. > > A packet sent to the local IP broadcast address (10.10.255.255 in > > Priscilla's example) will have the same MAC-layer destination > > address as a > > packet sent to 255.255.255.255. > > > > Comments, questions? Anyone think my logi