SixXS::Sunset 2017-06-06

Why is ISP disabling traceroute?
[dk] Shadow Hawkins on Monday, 11 November 2013 11:03:25
Are there any good reason why an ISP is disabling traceroute? On my sixxs-tunnel a traceroute takes "no time": 1 2001:16d8:dd00:b5::1 4.944 ms 4.905 ms 4.955 ms 2 2001:16d8:aaaa:5::2 4.915 ms 6.274 ms 4.902 ms 3 2001:16d8:aaaa:5::1 5.453 ms 4.686 ms 9.236 ms 4 2001:16d8:1:136a::1 5.911 ms 6.42 ms 6.192 ms 5 2001:16d8:1:1306::72 6.687 ms 6.421 ms 7.605 ms 6 2001:16d8:1:1357::70 19.103 ms 17.804 ms 18.338 ms 7 2001:7f8:1::a501:2871:1 18.426 ms 18.178 ms 20.249 ms 8 2001:838:5:a::2 20.313 ms 21.24 ms 20.572 ms 9 2001:838:2:1::30:67 25.597 ms 24.668 ms 25.443 ms 0m0.37s real 0m0.00s user 0m0.01s system On my new native ipv6, I see my default gw at the other end of the fibre, then the next few hops does not answer, so a traceroute takes 1m34s!! traceroute6 to sixxs.net (2001:838:2:1::30:67) from 2a02:188:12c:4::2, 64 hops max, 12 byte packets 1 2a02:188:12c:4::1 2.931 ms 2.657 ms 2.559 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 2001:838:2:1::30:67 20.772 ms 15.368 ms 23.972 ms 1m34.68s real 0m0.01s user 0m0.00s system Luckily, I can install mtr, Matts TraceRoute, which does not delay for hops not answering.
Why is ISP disabling traceroute?
[ch] Jeroen Massar SixXS Staff on Monday, 11 November 2013 22:03:47
Are there any good reason why an ISP is disabling traceroute?
No. None at all. Best to contact your provider about this problem. Some ISPs think it is smart to disable ICMPv6 responses though or do other kind of filters, they clearly then don't understand what the use is of ICMP. Do make sure that you are using proper source address and that your routing is set up properly. You will see the same problem if you are using wrong source addresses.
Why is ISP disabling traceroute?
[us] Shadow Hawkins on Friday, 15 November 2013 21:05:56
Jeroen Massar wrote:
> Are there any good reason why an ISP is disabling traceroute? No. None at all. Best to contact your provider about this problem.
I worked for an ISP as a network engineer for ten years. There are two good reasons why ICMP responses would not come back. Routers are busy moving user traffic. To respond to ICMP means chewing up valuable resources. So, the devices will rate limit or simply not respond to ICMP. The second reason is simply a security concern; ICMP could possibly be used to exploit something. Turning off ICMP means loosing a valuable troubleshooting tool but will reduce the attack surface of your backbone gear. They make the trade off and disable ICMP. You may disagree (I personally would leave it turned on but rate limited) but there are good reasons.
Why is ISP disabling traceroute?
[ch] Jeroen Massar SixXS Staff on Sunday, 17 November 2013 17:45:26
Routers are busy moving user traffic. To respond to ICMP means chewing up valuable resources. So, the devices will rate limit or simply not respond to ICMP.
If a pipe is full, you will not get responses for packets. Very few proper current backbone routers have a different processing path for ICMP as for normal packets though. And the default for ratelimitting ICMP fortunately has been removed years ago.
ICMP could possibly be used to exploit something.
Exploit what exactly? Please name one (1) thing...
They make the trade off and disable ICMP.
Only uninformed folks do that.
but there are good reasons
Which ones then? :)
Why is ISP disabling traceroute?
[us] Shadow Hawkins on Monday, 18 November 2013 18:47:59
Jeroen Massar wrote:
Very few proper current backbone routers have a different processing path for ICMP as for normal packets though. And the default for ratelimitting ICMP fortunately has been removed years ago.
In my experience many platforms handle ICMP differently than user traffic. For instance, the Cisco 7600 handles typical user traffic on hardware ASICs, usually right on the line card where the packet is handled. Routing protocols, SSH, SNMP, ICMP, etc. get moved to the CPU on the supervisor card for processing. Whenever you see a really big device with hundreds of ports you should look into it; it's probably not a traditional router but a carrier-grade Layer-3 switch. The ASICs are what give it the huge horsepower across a huge number of ports. But ASICs generally do not handle ICMP. For a more traditional router you can take a Cisco 7206VXR with the NPE-G2 processor. It is true, user and mgmt and ctrl-plane traffic are all handled by the CPU. But, user traffic is generally handled in one cycle of the interrupt controller, which Cisco calls CEF. If the packet needs something special done to it the packet may be "punted" to the CPU where it is scheduled with all the other housekeeping tasks on the router. Modern platforms have QoS for punted packets so OSPF neighbor messages will have a better chance of being processed than ICMP. This QoS on the control plane helps, but it proves the point; CPU time is a finite resource and needs to be rationed.
ICMP could possibly be used to exploit something.
Exploit what exactly? Please name one (1) thing...
I made the statement that ICMP could be used as part of an exploit. Unless you would like to argue that there is absolutely no way ICMP could be exploited, than my statement stands. Security is not just about "there is a finite list of all known exploits, let's protect against all of them." Reducing your attack surface, even in areas where there is no known exploit, is sometimes the best defense.
They make the trade off and disable ICMP.
Only uninformed folks do that.
I've provided my experience and background. I was the senior engineer for some of the ten years I spent at an ISP. My work involved physical topology, BGP/OSPF, security, etc. If your network Kung Fu is stronger than mine and you would like to provide examples, maybe we could address the issue of uninformed (which I admit is a relative term!)
Why is ISP disabling traceroute?
[ch] Jeroen Massar SixXS Staff on Tuesday, 19 November 2013 08:47:37
it's probably not a traditional router but a carrier-grade Layer-3 switch.
The simple answer is to not use underpowered-for-the-situation devices for tasks you want them to accomplish. It does not make ICMP the problem, but your choice of platform is the problem. There is a lot of other traffic that gets handled by the CPU, proper attackers will know what that traffic type is and just use that instead of ICMP; while ICMP actually has a value to the network, which, by disabling it, just causes problems.
I made the statement that ICMP could be used as part of an exploit.
HTTP could be used as part of an exploit, or actually IS being used as part of exploits. You disabled that too? :) Disabling things that one does not properly understand does not make sense.
Reducing your attack surface, even in areas where there is no known exploit, is sometimes the best defense.
In that case, you better unplug from this magical thing called the Internet ;)
I've provided my experience and background.
Stating per default that disabling ICMP is a good thing shows how much that experience is worth though... As many folks in the operational community will tell you: "we recommend that our competitors do exactly that"
Why is ISP disabling traceroute?
[dk] Shadow Hawkins on Tuesday, 12 November 2013 11:37:47
I suppose I'm doing proper routing; I have one machine connected to one isp with the tunnel to the pop, and another with the native ipv6 to the other ISP. I wouldn't get a reply from the destination or the hops afteif I weren't doing routing and source right, right?
Why is ISP disabling traceroute?
[ch] Jeroen Massar SixXS Staff on Tuesday, 12 November 2013 12:59:33
If that is all you configured you are likely doing it wrong. Please show the interface and address lists routing tables and your firewall rules.
Why is ISP disabling traceroute?
[dk] Shadow Hawkins on Wednesday, 13 November 2013 06:30:31
The two machines are my openbsd-router/firewalls. each connected to their own router delivered from the isps supplying the fibre. On the new one with the "defective" traceroute and native ipv6, there are no rules and no real machines behind it yet. So it's so simple I doubt there can be anything misconfigured :-)

Please note Posting is only allowed when you are logged in.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker