Re: 1)Accelar mirroring 2)JFWD

[Brett Wilson <bwilson@tislabs.com>]

On 06-Sep-2000 Rob Jaeger wrote:
>> On 06-Sep-2000 Rob Jaeger wrote:
>> > On Thu, 31 Aug 2000, Brett Wilson wrote:

>> >> 4) Using 3 computers and 3 separate physical ports, I tried the
>> >> following:
>> >> 
>> >>    Computer A  (Port 1)
>> >>    Computer B  (Port 2)
>> >>    Computer X  (Port 3)
>> >> 
>> >>    Set filter on Port 2 to match all ICMP traffic destined for Computer
>> >>    A.
>> >>    (OR all ICMP traffic from Computer B)
>> >>    Set the port mirror flag on the filter and set filter to deny.
>> >>    RCMirrorPort is set to Port 3.
>> >> 
>> >>    Computer B sends an Echo Request to Computer A.
>> >>    The Router deny's the packet but mirrors it to port 3.
>> >>    Computer X picks up the packet, decides its ok and resends it.
>> > 
>> > this is expected, right? so far so good.
>> 
>> Yup.  So far so good.
>>  
>> >>    Computer A recives the request and replies to B,  BUT at the
>> >>      same time, the router re-mirrors the resent packet back to
>> >>      port 3 and does a ttl--.
>> > 
>> > hmmm ... is there a filter on port 3?
>> 
>> Oops.  I sometimes forget to layout some of the details.
>> See below.
>>  
>> >> 
>> >>    As you can see, a nasty loop is created that only stops once
>> >>    the ttl of the packet drops to zero.  Another thing I noted
>> >>    was that in both the source and destination filters, the packet
>> >>    that is mirrored to Port 3 has the ethernet header for:
>> >>           Port1->ComputerA
>> >>    not
>> >>           ComputerB->Port2
>> >>    which is where I would think it would be considering the packet
>> >>    filter is supposedly set to Port 2.
>> > I am confused.  The header is ComputerB (src eth) to ComputerA (dst
>> > eth) when it leaves computer B.  I think the computer on port 3 must be in
>> > promiscuous mode to receive the mirrored packets
>> 
>> 
>> Yes.  Computer X is in promiscuous mode (and I made a small mod to the
>> kernel
>> so that the packet filtering kernel code would get promiscous packets).  
>> Computer X receives all the packets mirrored onto port 3.  Of the packets it
>> sees, any it deems ok are resent.  (Computer X is the only computer on port
>> 3).
>> 
>> On the way back to the router from Computer X, the HW address information is
>> correct and the router routes the packet over to Computer A (The original
>> dest)
>> and the HW address information on that network segment is correct.  The odd
>> thing is that I get the same packet I sent out (and which _was_ delievered
>> out
>> port 1) sent back at me (with the TTL--;)   And like your question above, it
>> seems like there is a filter on port 3... but there isn't.  Its like its
>> getting
>> the mirror option of filter on port 2 but not implementing the DENY part. 
>> Almost like the mirror option of the filter on port 2 is implemented at port
>> 1
>> instead of port 2.
> 
> try using the cli to examine the ports for any filter.  However, the
> filter is applied going INTO the box from the hosts, therefore, the mirror
> would have to be on port 3 as well as 2 for this to happen.  If you have a
> fourth machine sending to port 1, does IT get mirrored.  What about if you
> just source traffic from X to A directly.
> 

Okay. I did a little more verification using the following and removing
any retransmitting by computer X to stop those annoying packet storms.


            ------------------------------------
           |              Router                |
           | 1          2          3          4 |
            ------------------------------------
             |          |          |          |
            ---        ---        ---        ---      
           | A |      | B |      | C |      | X |
            ---        ---        ---        ---

Mirror Port: 4

Filter is set to match:
        Src: 0/0
        Dst: A/32
        Mir: Yes
        Act: Deny

Filter is added to Port 2


>From B (port 2):
        ping A
        no response
        but packets are seen reflected at port 4

>From C (port 3):
        ping A
        get a response
        and packet are still seen reflected at port 4

>From X (port 4):
        ping A
        get a response
        and echo request packet is seen reflected back out port 4


Basically, what I see is the filter matching and denying ICMP to A
just on port 2 like I set it up to do.  And the mirror only mirrors
packets that match the particular IP header requirements.

But, it also mirrors ICMP packet not going through port 2.  The reason
I mentioned the ethernet headers before is that I found it odd that
they mirrored packets had the ethernet header information for the ethernet
cards of Port1 and ComputerA which means that either it is mirroring things
it saw on port 1 (the outgoing route of packets matching this filter) or
it mirrored them after it had finished its routing decision and changed
the hardware addresess.

Obviously this is not a key router issue as only silly people
like me would be mirroring packet to then make decision with
them on an external box but it was a test to see how well it
worked as Dan was concerned as to how much in CPU filtering
the router could do as its primary focus is on hardware routing.
I just thought I would mention it.

Brett

---------------------------------------------------------
Brett M. Wilson                     <bwilson@tislabs.com>
Adaptive Network Defense Group
NAI Labs, Glenwood, MD