cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
249
Views
10
Helpful
7
Replies
Highlighted
Beginner

How to drop a packet which has a specific attribute

Hi dear Friends!

Nice to chat with dear Cisco Experts

 

I’m an Researcher and just published about 6 papers in different International Conferences and my next paper is about Custom routing and I really need some help from Cisco Systems experts. About my challenge in my paper that I described below:

 

My Question is:  Can we drop a packet which has a specific attribute? If yes, how do we can?

 

The example: We want a router to drop packages that are not read only, In other words, the router only passes packages that have read-only properties and drop other packets.

 

 

Really in need to deliver your response,

3 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Expert

Re: How to drop a packet which has a specific attribute

Hello Moein,

 

can you make a practical example of what you mean with read-only attributes of a packet ?

Just to make clear what you are looking for.

 

Hope to help

Giuseppe

 

VIP Expert

Re: How to drop a packet which has a specific attribute

"So, Do you think its not possible to drop a "read only" data packet or data frame?"

Again, at the frame or packet level, there isn't any "read-only" attribute. (Actually, all frames and packets are "read-only" because to change any of the content you create a new frame or packet, you don't overwrite the original. Sometimes the new frame or packet is an exact copy of the original, sometimes it has been modified.)

However, if a device can identify something specific in the frame or packet, it can generally drop it.
Hall of Fame Expert

Re: How to drop a packet which has a specific attribute

Hello Moein,

as explained by Joseph there are very few options at IPv4 level to verify a packet:

 

A router when routes an IPv4 packet performs two changes to the IPv4 packet header:

the TTL is decremented by 1

the IPv4 header checksum is recalculated as the complement to 1 of the bytes in the header.

In practice TTL field is decremented by 1 and IPv4 header checksum is incremented by 1.

 

And this all you can do at IPv4 just to check if the IPv4 header checksum is consistent on received packet.

But this checksum does not take in account the payload.

 

So the only way to provide protection from man in the middle attack is to use the IPSec framework and an IPSec VPN or an SSL VPN with TLS encryption.

IPv6 includes AH and ESP protocols as extension headers in the protocol definition but actually there is little change you still need to use it or SSL to provide a protected communication end to end.

 

Hope to help

Giuseppe

 

7 REPLIES 7
Hall of Fame Expert

Re: How to drop a packet which has a specific attribute

Hello Moein,

 

can you make a practical example of what you mean with read-only attributes of a packet ?

Just to make clear what you are looking for.

 

Hope to help

Giuseppe

 

Beginner

Re: How to drop a packet which has a specific attribute

Yeah,
assume that i want to share some packets over internet (or over a local network in a large company); But we suspect that a hacker may modifies the data we send and then retrieve the manipulated information to the destination instead of the main information; thus we want to make all of our data packets secure by making them read-only(or write-protected) at first in the source system and after that send them to the destination. HERE we want to get help from router to drop those packets which are not read-only(or write-protected) and can be modified Between the path from source to destination.
Everyone's tags (1)
Beginner

Re: How to drop a packet which has a specific attribute

Yeah,
assume that i want to share some packets over internet (or over a local network in a large company); But we suspect that a hacker may modifies the data we send and then retrieve the manipulated information to the destination instead of the main information; thus we want to make all of our data packets secure by making them read-only(or write-protected) at first in the source system and after that send them to the destination. HERE we want to get help from router to drop those packets which are not read-only(or write-protected) and can be modified Between the path from source to destination.@Giuseppe Larosa

 

VIP Expert

Re: How to drop a packet which has a specific attribute

There's no "read-only" or "write-protected' per packet, at least with IPv4 at the packet level. However, above the packet level, you can use security protocols to generate a "digest" (which indicates if the data has been changed) or encrypt the data. You could drop packets not using a security protocol. IPv6, I understand, has higher level security protocols defined to it, again, I believe, generation of a digest and/or encryption.

An simple example of an IPv4 dropping non-secure packets is often when I define a VPN tunnel's physical interface, I'll drop all packets that don't appear to be related to IPSec. This without even examination whether the packet's digest or encryption is good/valid.
Beginner

Re: How to drop a packet which has a specific attribute

So, Do you think its not possible to drop a "read only" data packet or data frame?

@Joseph W. Doherty 

VIP Expert

Re: How to drop a packet which has a specific attribute

"So, Do you think its not possible to drop a "read only" data packet or data frame?"

Again, at the frame or packet level, there isn't any "read-only" attribute. (Actually, all frames and packets are "read-only" because to change any of the content you create a new frame or packet, you don't overwrite the original. Sometimes the new frame or packet is an exact copy of the original, sometimes it has been modified.)

However, if a device can identify something specific in the frame or packet, it can generally drop it.
Hall of Fame Expert

Re: How to drop a packet which has a specific attribute

Hello Moein,

as explained by Joseph there are very few options at IPv4 level to verify a packet:

 

A router when routes an IPv4 packet performs two changes to the IPv4 packet header:

the TTL is decremented by 1

the IPv4 header checksum is recalculated as the complement to 1 of the bytes in the header.

In practice TTL field is decremented by 1 and IPv4 header checksum is incremented by 1.

 

And this all you can do at IPv4 just to check if the IPv4 header checksum is consistent on received packet.

But this checksum does not take in account the payload.

 

So the only way to provide protection from man in the middle attack is to use the IPSec framework and an IPSec VPN or an SSL VPN with TLS encryption.

IPv6 includes AH and ESP protocols as extension headers in the protocol definition but actually there is little change you still need to use it or SSL to provide a protected communication end to end.

 

Hope to help

Giuseppe

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards