Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter!

Glen Turner (glen.turner@ITD.ADELAIDE.EDU.AU)
Wed, 23 Jul 1997 12:10:19 +0930

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "HPSBUX9707-066 Security Vulnerability with rlogin"
Previous message: der Mouse: "Re: better snprintf replacement, anyone?"
Maybe in reply to: Michael Douglass: "ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter!"
Next in thread: Michael Shields: "Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter!"

Michael Douglass wrote:

> From: Edward Henigin <ed@texas.net>
> To: Michael Douglass <mikedoug@texas.net>
> Subject: broadcast filtering HOWTO
> ...
> I've just been made aware of a command for ciscos,
> 'ip directed-broadcast'. Specifically, the 'no' form of the command
> will no convert broadcast packets (all ones, I think) into broadcast
> ethernet packets, on the final, directly connected interface. From
> cisco's online documentation:
>
> To enable the translation of directed broadcast to physical
> broadcasts, use the ip directed-broadcast interface
> configuration command. To disable this function, use the no
> form of this command.
>
> What I take this to mean is that 'no ip directed-broadcast'
> will prevent the mapping of broadcast packets (I don't know
> what your cisco will guess 'broadcast packets' are) to broadcast
> ethernet framing. I think this will help... although I don't know all
> the ramifications, because I haven't used it, and don't know anyone
> who has.

Which is right as far as it goes. The command only prevents the
mapping for protocols maintained for broadcast forwarding by the
`ip forward-protocol' command (UDP protocols TFTP, DNS, time, NetBIOS,
BOOTP, TACACS by default). Broadcast forwarding is useful for allowing
IP subnet without servers to see server advertisments. For example,
broadcast forwarding allows a single NetBIOS server to serve a
multiple-subnet network.

The real purpose of the `ip directed-broadcast' command is to
allow the filtering of server visibility and reachability
(for example, allowing departmentally-maintained BOOTP servers).

It does not prevent translation of a generic 'ping 1.2.3.255' to
an ethernet broadcast.

> And a final note: there are very few applications which depend
> on the routing of broadcast packets. You may know of one such
> application; if it's a popular one that you think lots of people are
> using, speak up. So you should feel safe in blocking broadcast
> traffic in your network.

BOOTP and DHCP are obvious applications that reply on
directed broadcast forwarding. In a large modern IP
network, you really need one of these two protocols.

Cheers,
glen

--
glen.turner@itd.adelaide.edu.au     Network Support Specialist
Tel: (08) 8303 3936            Information Technology Division
Fax: (08) 8303 4400             University of Adelaide SA 5005
...- -.- ..... --. -.. -   http://www.adelaide.edu.au/~gturner
    --  A university is a loosely-coupled organisation --
    --  held together by a common interest in parking. --

Next message: Aleph One: "HPSBUX9707-066 Security Vulnerability with rlogin"
Previous message: der Mouse: "Re: better snprintf replacement, anyone?"
Maybe in reply to: Michael Douglass: "ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter!"
Next in thread: Michael Shields: "Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter!"