Hi Mike,
I still don't understand how can we jump from GRE to the ICMP without
matching the inner IP header first.
In GRE we have OUTER_IP | GRE | INNER_IP | ICMP.
Class Map type stack match-all STACK-GRE (id 1)
Match field IP protocol eq 0x2F next ICMP
In your stack class-map you are matching the OUTER_IP which is followed by
GRE then the next protocol should be ICMP but what happens with the
INNER_IP? Actually this is why I have started to play with this.
Please comment!
On Wed, Jun 20, 2012 at 7:10 PM, Mike Rojas <[email protected]> wrote:
> Hey,
>
> Yeah, weird isnt it? Most people think that is mandatory to have a "next
> GRE" when mounting the stack, if you are not going to match anything on
> that specific header, why would you mount it?
> I dont know... I ended up liking it a lot, of course it can get really
> nasty.
>
> Mike
>
> ------------------------------
> Date: Wed, 20 Jun 2012 15:52:05 -0700
>
> Subject: Re: CCIE_Security Digest, Vol 72, Issue 75
> From: [email protected]
> To: [email protected]
> CC: [email protected]
>
>
> Hi Mike,
>
> Code 0 means no code, and majority of the ICMP types have code 0. As a
> result you will drop much more than echo/echo reply.
> And you are right, for some reason matching types for ICMP is not working
> in this case.
>
> On Wed, Jun 20, 2012 at 3:37 PM, Mike Rojas <[email protected]> wrote:
>
> Oszkar,
>
> You are right. I sent a clarification on this exercise it will drop any
> ICMP message within GRE that has a code 0 on them. Seems that there is a
> problem with FPM because it cannot match types correctly. If I match code
> 0 it will drop both ICMP echo and echo reply because they both have code 0
> on them.
>
> Mike
>
>
> ------------------------------
> Date: Wed, 20 Jun 2012 13:40:32 -0700
> Subject: Re: CCIE_Security Digest, Vol 72, Issue 75
> From: [email protected]
> To: [email protected]
> CC: [email protected]
>
>
> Hi Mike,
>
> Why did you choose to look for code 0? Code 0 means different thing for
> each ICMP type.
> I think for echo messages you should look for icmp type 8 .
> Now the interesting part is that if you try to match icmp type 8 instead
> of code 8 your solution won't work.
>
>
> Oszkar
>
>
>
> Annnnnnnd Bingo,
>
> I was right, since it is encapsulated and not Encrypted, we can match
> whatever it is inside on the GRE packet... we are matching, not crafting....
>
> Here is the example of dropping ICMP echo messages encapsulated on GRE...
>
> Class Map type access-control match-all ICMP (id 2)
> Match field ICMP code eq 0 mask 0x1
>
> Class Map type stack match-all STACK-GRE (id 1)
> Match field IP protocol eq 0x2F next ICMP
>
>
> Policy Map type access-control STACK-GRE
> Class STACK-GRE
> service-policy ICMP-DROP-GRE
>
> Policy Map type access-control ICMP-DROP-GRE
> Class ICMP
> drop
>
>
>
>
> Router1#sh policy-map type access-control interface fa 0/1
> FastEthernet0/1
>
> Service-policy access-control input: STACK-GRE
>
> Class-map: STACK-GRE (match-all)
> 5 packets, 690 bytes
> 5 minute offered rate 0 bps
> Match: field IP protocol eq 0x2F next ICMP
>
> Service-policy access-control : ICMP-DROP-GRE
>
> Class-map: ICMP (match-all)
> 5 packets, 690 bytes
> 5 minute offered rate 0 bps
> Match: field ICMP code eq 0 mask 0x1
> drop
>
> Class-map: class-default (match-any)
> 0 packets, 0 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
>
> Class-map: class-default (match-any)
> 2 packets, 1236 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
>
>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
