Hi All,
I have scanned 3GPP documents for info on the GGSN IP network facing side, IIUC how the GGSN responds there is "out of scope" - I'm specifically wondering about sending ICMP host unreachable messages in response to packets for IPs that are not currently active in the pool.
Sometimes it would happen where I was pinging an IP assigned to an MS while looking at other things in the SGSN and PCU but in the meantime the MS would cycle the PDP context and have a new IP.
For this and maybe other reasons I wrote a proof of concept, probably not great code, but working, patch to have the GGSN send ICMP host unreachable.
Do you think this is a desirable feature?
If so I would try to clean it up and submit to code review.
Also if in agreement, would it be worth making it switchable via a vty param? I am thinking of where one might not want the IP space to be probable, although I would assume that kind of thing is best left to the local firewall implementation.
Patch here: http://git.osmocom.org/osmo-ggsn/?h=keith%2Ficmp
Thanks.
K.
Hi Keith,
On Sat, Oct 31, 2020 at 08:27:34PM -0600, Keith wrote:
I have scanned 3GPP documents for info on the GGSN IP network facing side, IIUC how the GGSN responds there is "out of scope"
I'd agree to that.
- I'm specifically wondering about sending ICMP host unreachable messages in
response to packets for IPs that are not currently active in the pool.
makes sense.
If so I would try to clean it up and submit to code review.
please do, thanks!
Also if in agreement, would it be worth making it switchable via a vty param? I am thinking of where one might not want the IP space to be probable, although I would assume that kind of thing is best left to the local firewall implementation.
I think the GGSN "function" should not implement firewall policy.
However, given that generating and discarding a potentially very large amount of ICMP host unreachable messages can consume a significant amount of resources, I guess a vty option might make sense.
-
Harald Welte -
Keith