Saturday, October 18, 2008

Reflexive ACL and Traceroute

In this post i describe reflexive acls and their implementation. In addition i write about the use of traceroute when used in conjunction with a reflexive acl.

The requirement with the above topology is that R6 is secured from unauthorised access from bb1. R6 should only allow TCP, UDP and ICMP traffic in from bb1 if it has been originated from behind R6. Additionally ensure traceroute can be succesfully executed from behind R6.

I create a reflexive acl to meet this requirement. On the outside interface S2/0 i create and apply my 'reflect' acl and then on the same interface i allow this traffic back in with the evaluate statement as follows:-

ip access-list extended REFLECT
permit tcp any any reflect RICH
permit udp any any reflect RICH
permit icmp any any echo reflect RICH
permit ip any any

int s2/0
ip access-group REFLECT out

As per the lab requirement the REFLECT acl has line statements for tcp, udp and icmp traffic, along with a generic permit as there is no requirement to prevent any outbound traffic.

I then create the inbound ACL for the s2/0 interface. Care needs to be taken to ensure any existing routing protocol traffic is not disrupted.

ip access-list extended INACL
permit udp any any eq rip
permit tcp any any eq bgp
permit tcp any eq bgp any
evaluate RICH
deny ip any any log

int s2/0
ip access-group INACL in

From R3 i now try an outbound tcp session to ensure the reflexive acl is acting as it should


Trying ... Open

Success! I examine the acls on R6 and can see the relexive acl has come into effect..

R6#s ip access-list RICH

Reflexive IP access list RICH permit tcp host eq telnet host eq 48296 (27 matches)(time left 7)

Now i try traceroute from R3 as per the lab requirement.


Type escape sequence to abort.
Tracing the route to
1 496 msec 996 msec 392 msec
2 * * *
3 * * *
4 * * *
5 * * *

Failure! I examine the relexive acl on R6

R6#s ip access-list RICH

Reflexive IP access list RICH permit udp host eq 33480 host eq 37054 (1 match) (time left 19)

I can see the reflexive acl has been brought into action, but the traceroute is still failing!!

I run a packet capture to further determine problem. From this i can see that the outbound traceroute packet leaves as a UDP packet, however the response coming from the far end router arrives as an ICMP port unreachable packet!

This explains the failure as this traffic exchange falls foul on the refelexive acl logic i.e. the returning packet stream does not match the outbound.
To get around this problem requires an explicit entry in the inbound ACL to permit icmp port unreachable messages.

R6(config)#ip access-list ext INACL
R6(config-ext-nacl)#41 permit icmp any any port port-unreachable

I then try traceroute from R3 this time with success!

Type escape sequence to abort.

Tracing the route to
1 724 msec 548 msec 208 msec
2 1272 msec 876 msec 1056 msec

Another example of a protocol that falls foul of reflexive acl logic is active FTP. With this protocol the control and data sessions are initiated on different ports in different directions, something that will break the reflexive acl model.

No comments: