Security Internetworking Experts


Post New Topic  Post A Reply
my profile | register | search | faq | forum home
  next oldest topic   next newest topic
» Security Internetworking Experts   » Security   » CCIE Security Lab Forum   » ip option ignore

UBBFriend: Email this page to someone!    
Author Topic: ip option ignore
isferjer
Jr Member

Member # 31478

Rate Member 		posted November 06, 2011 06:44 AM      Profile for isferjer     Send New Private Message      Edit/Delete Post  Reply With Quote 
IP IPTION IGNORE is not supported on low end routers; is there any workaround to this?
Can we use named ACL to achieve "ignore" rather than "drop"
Posts: 7 | From: canada | Registered: Oct 2011  |  IP: Logged
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac

Member # 29872

Member Rated:
 		posted November 06, 2011 09:35 PM      Profile for Kingsley Charles (CCSP, CCNP, CCIP)     Send New Private Message      Edit/Delete Post  Reply With Quote 
Both of them has different purpose.

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/sel_drop.html

With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010  |  IP: Logged
Venkat Ragothaman
Member

Member # 31347

Rate Member 		posted November 06, 2011 11:24 PM      Profile for Venkat Ragothaman     Send New Private Message      Edit/Delete Post  Reply With Quote 
quote:
Originally posted by isferjer:
Can we use named ACL to achieve "ignore" rather than "drop"
Named ACLs can be used to achieve what 'ip options ignore' would do for you. Here is an example,
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtipofil.html#wp1027265
Posts: 24 | From: Bangalore | Registered: Sep 2011  |  IP: Logged
isferjer
Jr Member

Member # 31478

Rate Member 		posted November 07, 2011 05:10 AM      Profile for isferjer     Send New Private Message      Edit/Delete Post  Reply With Quote 
Thanks guys,

just to clarify:

ip access-list extended option-ignore-drop
permit ip any any option timestamp
deny ip any any option any-options
permit ip any any

Does this mean that any packet with option timestamp will be treated as normal packet and all other packets with ip options be drops?

Pls comment
Posts: 7 | From: canada | Registered: Oct 2011  |  IP: Logged
Venkat Ragothaman
Member

Member # 31347

Rate Member 		posted November 07, 2011 09:46 AM      Profile for Venkat Ragothaman     Send New Private Message      Edit/Delete Post  Reply With Quote 
quote:
Originally posted by isferjer:

ip access-list extended option-ignore-drop
permit ip any any option timestamp
deny ip any any option any-options
permit ip any any
With the above acl,

1. An IP packet with timestamp option will be passed by the first ACE. If there are other options along with timestamp in the packet, it will be passed too.
2. If timestamp is not a part of IP options of a packet, it will be denied by the second ACE.
3. An IP packet without IP options, will be passed by the third ACE.

Thanks
Posts: 24 | From: Bangalore | Registered: Sep 2011  |  IP: Logged
isferjer
Jr Member

Member # 31478

Rate Member 		posted November 07, 2011 09:50 AM      Profile for isferjer     Send New Private Message      Edit/Delete Post  Reply With Quote 
Thanks Venkat,

but what I want to know is whether timstamp will be processed by the processor or will it be treated as normal packet as passed through the router without processing
Posts: 7 | From: canada | Registered: Oct 2011  |  IP: Logged
Venkat Ragothaman
Member

Member # 31347

Rate Member 		posted November 07, 2011 11:07 AM      Profile for Venkat Ragothaman     Send New Private Message      Edit/Delete Post  Reply With Quote 
quote:
Originally posted by isferjer:

whether timstamp will be processed by the processor
Yup. The packet with IP option will be punted to the route processor and the option will be processed.
I'm sure you are aware of the fact that such a config can be costly on the router's resources, potentially be exploited and used with caution when there is no other workaround.

HTH.
Posts: 24 | From: Bangalore | Registered: Sep 2011  |  IP: Logged
futbolking83
Guru

Member # 31103

Rate Member 		posted November 17, 2011 06:22 AM      Profile for futbolking83     Send New Private Message      Edit/Delete Post  Reply With Quote 
When speaking of "ip options drop" it appears it is only concerned with an ICMP type traceroute aka tracert (Windows) and not w/ unix/IOS traceroute (UDP gt 33434) If you want to drop ingress traceroute fromm IOS or unix you must deny udp any any gt 33434

Anyone disagree?
Posts: 109 | From: NoVa | Registered: Jul 2011  |  IP: Logged
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac

Member # 29872

Member Rated:
 		posted November 17, 2011 09:55 PM      Profile for Kingsley Charles (CCSP, CCNP, CCIP)     Send New Private Message      Edit/Delete Post  Reply With Quote 
Does "ip option drop" drop packets to the router or both to the router and the packets that transits the router?

With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010  |  IP: Logged
dogfartbig
Guru

Member # 30698

Rate Member 		posted November 18, 2011 12:10 AM      Profile for dogfartbig     Send New Private Message      Edit/Delete Post  Reply With Quote 
Ip options drop both.....it checks the packet before it goes to routing processor...

REGARDS
Posts: 234 | From: Bosnia and Herzegovina | Registered: Mar 2011  |  IP: Logged
Venkat Ragothaman
Member

Member # 31347

Rate Member 		posted November 18, 2011 02:29 AM      Profile for Venkat Ragothaman     Send New Private Message      Edit/Delete Post  Reply With Quote 
quote:
Originally posted by futbolking83:
When speaking of "ip options drop" it appears it is only concerned with an ICMP type traceroute aka tracert (Windows) and not w/ unix/IOS traceroute (UDP gt 33434) If you want to drop ingress traceroute fromm IOS or unix you must deny udp any any gt 33434

Anyone disagree?
I would disagree if you say 'ip options drop' will drop Windows tracert's icmp packets.

Windows tracert begins by sending an ICMP echo request message with a ttl of 1 and so on until it receives a echo reply from the destination. Windows' method is still the same as Unix's apart from using ICMP echo request inplace of UDP-33434 and terminating with an ICMP echo reply in place of ICMP port unreachable.

However, 'ip options drop' should drop traceroute based on IP-option-18 as in RFC 1393. Linux's 'lft' utility seems to do this kinda IP options based traceroute.

Thanks.
Posts: 24 | From: Bangalore | Registered: Sep 2011  |  IP: Logged
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac

Member # 29872

Member Rated:
 		posted November 18, 2011 04:05 AM      Profile for Kingsley Charles (CCSP, CCNP, CCIP)     Send New Private Message      Edit/Delete Post  Reply With Quote 
I guess "ip option drop" both traffic that transits and to the router.

With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010  |  IP: Logged
dogfartbig
Guru

Member # 30698

Rate Member 		posted November 20, 2011 03:22 AM      Profile for dogfartbig     Send New Private Message      Edit/Delete Post  Reply With Quote 
Hm...I tried in the LAB ....ip options drop will not drop traceroute at all....the traffic to router and also transit traffic.....is passing without problem.....

REGARDS
Posts: 234 | From: Bosnia and Herzegovina | Registered: Mar 2011  |  IP: Logged


All times are Eastern Time  
Post New Topic  Post A Reply Close Topic    Move Topic    Delete Topic next oldest topic   next newest topic
Printer-friendly view of this topic
Hop To:


Contact Us | Security Internetworking Experts