[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TTL and IPsec
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Rodney" == Rodney Thayer <rodney@sabletech.com> writes:
Rodney> I disagree that a tunnel endpoint should always decrement
Rodney> the TTL. If you're a client, and if you're near the edge
Rodney> of the TTL radius, you can drop things you shouldn't be
Rodney> dropping. Some people think that end systems that
Rodney> decrement the TTL too much are broken. Think about how
Rodney> you want 'traceroute' to look.
But, an end system doesn't forward the packet, so it shouldn't
consider itself a router, and shouldn't decrement the TTL...
Hmm. I can see that in the DataFellows implementation that this is
going to have to be a flag since our engine does both client and
gateway.
Rodney> TTL is going to get whacked out anyway, since the INNER IP
Rodney> header isn't going to have it's TTL decremented as the
Rodney> packet travels through the net. I bet someone with
Rodney> IP-over-IP experience has something to add to this...
Yes, but there is nothing you can do about this.
If you consider traceroute's usage, you want to see that the tunnel
was a single hop.
] The sun rarely sets on Helsinki | one quark [
] Michael Richardson, Sandelman Software Works, Ottawa, ON | two quark [
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBM8EJNMmxxiPyUBAxAQGNHQL9GzSwh6Wk6sgbQm5WzNhgt8mhBk+KiIQm
ZUBSKgVRXQ2dHDO2F4UNCDy6MsrzaTRLeJWg5W2+Tj/NCwKsn4Nndi+VwVpfgjj7
6Utzm5NjqY0SnSDbswHMTORzBXrcqQjv
=Cxdq
-----END PGP SIGNATURE-----
References: