nanog mailing list archives

RE: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec

From: "Lincoln Dale" <ltd () interlink com au>
Date: Mon, 7 May 2007 12:37:23 +1000

i guess what i'm saying is that you can't read much from the backscatter of
what a either:
 - ping of each hop
 - eliciting a response from each hop (as traceroute does)
as the basis for determining much.

you can perhaps derive SOME meaning from it, but that meaning rapidly
diminishes when there are multiple intermediate networks involved, some of
which you have no direct connectivity to verify problems with easily,

likely

different return path for traffic (asymmetric routing) etc.


When the cards consistently fall in certain patterns, you can actually
read them quite easily.

The standard control plane arguments dont apply when the pattern holds
all the way through to equipment under your {remote-}control.


it most certainly does.  lets use an example network of:

        F
        |
A---B---C---D---E
        |
        G


you are looking at ICMP/traceroute responses through sending traffic to/from A
& E.

for all you know, there may be an ICMP DDoS attack going on from F-C or from
G-C.  the router 'C' is perfectly entitled to rate-limit the # of icmp
responses it sends per second, and due to said traffic from F & G may be doing
so.

this would render your reading of the tea leaves of what A and E are seeing of
C.

this diagram is incredibly simplistic.  for the "greater internet", we could
add perhaps 50x connections at each of B, C & D, not to mention the path you
posted showed upwards of a dozen hops - so more realistically there could be 4
or 5 order of magnitude more devices causing traffic in the path.

In this specific instance, I find interesting the disparity of results
between each hop ICMP echo and traceroute time exceeded processing, all
the way up to the final hop.

I wouldnt care if the application protocols rode well, but they dont
seem to.


while you can paint a partial picture from elicited icmp responses, it
certainly doesn't give you the full canvas.

you've only tested traffic from A to E.  what about A to F where those are
ENDPOINTS and not ROUTERS?  e.g. try a long-lived HTTP/FTP stream & see what
you get.


cheers,

lincoln.

Current thread:

barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Joe Maimon (May 06)
- RE: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Lincoln Dale (May 06)
  - Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Joe Maimon (May 06)
    - RE: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Lincoln Dale (May 06)
    - Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Joe Maimon (May 06)
    - Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Adrian Chadd (May 06)
    - RE: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Lincoln Dale (May 06)
    - Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Steven M. Bellovin (May 06)
    - Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Joe Maimon (May 06)
    - Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Jo Rhett (May 07)
    - Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Joe Maimon (May 07)
    - Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Peter Dambier (May 07)
    - Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Jo Rhett (May 07)
    - RE: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Lincoln Dale (May 07)
    - Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Min (May 07)
    - Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Joe Maimon (May 07)
    - Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec Joe Maimon (May 07)

(Thread continues...)