Re: Tool for testing filters?

[myles <myles () tenhand com>]

I've had this problem many times as well. 

Usually the problem is that the ISP's spoofing filters are something like

Deny All
Allow tcp|udp|icmp from customer to *
allow tcp|udp|icmp from * to customer (possibly only with syn bit)

This means that IP type 99 or 41 or other ip types used for the VPN 
are dropped. 

A Traceroute modified to use other IP types would be cool.
I've been using tcpdump and some clumsy spoofing software. There are 2
problems I've run into that traceroute would also have: 1) The filters
dropping IP packets tend to black hole connections, rather than sending
back a ICMP message.  2) The filters also drop options like record-route
or source routing that help nail down where the problem is. 

Please post if you do come up with a new tool!

myles

On Mon, 12 Jan 1998, Fernando da Silveira Montenegro wrote:

> but I don't know about the different IP packet types. Does ICMP hold for
> them as well?
It  *should*,  unless it's being black-holed. I suppose that
seing the traceroute stall is enough proof that one found a packet filter.

> We keep hitting into this problem on implementing VPNs for customers. We
> end up having to check every ISP in the path, and we all know the pain
> it is to explain the situation to every admin, and those delays keep
> adding up...
>
> If no one has this running, I'll give it a shot (modify traceroute).
> Otherwise, any pointers?
>
> Thanks in advance!
>
> Regards,
> Fernando
> --
> Fernando da Silveira Montenegro     NutecNet Servicos Corporativos
> System/Network Consultant           Sao Paulo, SP, BRAZIL
> mailto:montenegro () nutec com br      http://www.nutecnet.com.br
> voice.:+55-11-5505-5728             #include <disclaimer.h>