Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
915
Views
10
Helpful
7
Replies

How to drop a packet which has a specific attribute

Go to solution
MoeinClv
Level 1
Level 1

‎07-23-2019 02:20 AM

Hi dear Friends!

Nice to chat with dear Cisco Experts

 

I’m an Researcher and just published about 6 papers in different International Conferences and my next paper is about Custom routing and I really need some help from Cisco Systems experts. About my challenge in my paper that I described below:

 

My Question is:  Can we drop a packet which has a specific attribute? If yes, how do we can?

 

The example: We want a router to drop packages that are not read only, In other words, the router only passes packages that have read-only properties and drop other packets.

 

 

Really in need to deliver your response,

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-23-2019 02:24 AM

Hello Moein,

 

can you make a practical example of what you mean with read-only attributes of a packet ?

Just to make clear what you are looking for.

 

Hope to help

Giuseppe

 

View solution in original post

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to MoeinClv

‎07-23-2019 11:15 AM

"So, Do you think its not possible to drop a "read only" data packet or data frame?"

Again, at the frame or packet level, there isn't any "read-only" attribute. (Actually, all frames and packets are "read-only" because to change any of the content you create a new frame or packet, you don't overwrite the original. Sometimes the new frame or packet is an exact copy of the original, sometimes it has been modified.)

However, if a device can identify something specific in the frame or packet, it can generally drop it.

View solution in original post

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to MoeinClv

‎07-23-2019 11:52 AM

Hello Moein,

as explained by Joseph there are very few options at IPv4 level to verify a packet:

 

A router when routes an IPv4 packet performs two changes to the IPv4 packet header:

the TTL is decremented by 1

the IPv4 header checksum is recalculated as the complement to 1 of the bytes in the header.

In practice TTL field is decremented by 1 and IPv4 header checksum is incremented by 1.

 

And this all you can do at IPv4 just to check if the IPv4 header checksum is consistent on received packet.

But this checksum does not take in account the payload.

 

So the only way to provide protection from man in the middle attack is to use the IPSec framework and an IPSec VPN or an SSL VPN with TLS encryption.

IPv6 includes AH and ESP protocols as extension headers in the protocol definition but actually there is little change you still need to use it or SSL to provide a protected communication end to end.

 

Hope to help

Giuseppe

 

View solution in original post

7 Replies 7

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-23-2019 02:24 AM

Hello Moein,

 

can you make a practical example of what you mean with read-only attributes of a packet ?

Just to make clear what you are looking for.

 

Hope to help

Giuseppe

 

0 Helpful

Go to solution
MoeinClv
Level 1
Level 1
In response to Giuseppe Larosa

‎07-23-2019 07:57 AM

Yeah,
assume that i want to share some packets over internet (or over a local network in a large company); But we suspect that a hacker may modifies the data we send and then retrieve the manipulated information to the destination instead of the main information; thus we want to make all of our data packets secure by making them read-only(or write-protected) at first in the source system and after that send them to the destination. HERE we want to get help from router to drop those packets which are not read-only(or write-protected) and can be modified Between the path from source to destination.
0 Helpful

Go to solution
MoeinClv
Level 1
Level 1
In response to Giuseppe Larosa

‎07-23-2019 07:59 AM - edited ‎07-23-2019 08:05 AM

Yeah,
assume that i want to share some packets over internet (or over a local network in a large company); But we suspect that a hacker may modifies the data we send and then retrieve the manipulated information to the destination instead of the main information; thus we want to make all of our data packets secure by making them read-only(or write-protected) at first in the source system and after that send them to the destination. HERE we want to get help from router to drop those packets which are not read-only(or write-protected) and can be modified Between the path from source to destination.@Giuseppe Larosa

 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to MoeinClv

‎07-23-2019 09:02 AM

There's no "read-only" or "write-protected' per packet, at least with IPv4 at the packet level. However, above the packet level, you can use security protocols to generate a "digest" (which indicates if the data has been changed) or encrypt the data. You could drop packets not using a security protocol. IPv6, I understand, has higher level security protocols defined to it, again, I believe, generation of a digest and/or encryption.

An simple example of an IPv4 dropping non-secure packets is often when I define a VPN tunnel's physical interface, I'll drop all packets that don't appear to be related to IPSec. This without even examination whether the packet's digest or encryption is good/valid.
0 Helpful

Go to solution
MoeinClv
Level 1
Level 1
In response to Joseph W. Doherty

‎07-23-2019 10:09 AM

So, Do you think its not possible to drop a "read only" data packet or data frame?

@Joseph W. Doherty 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to MoeinClv

‎07-23-2019 11:15 AM

"So, Do you think its not possible to drop a "read only" data packet or data frame?"

Again, at the frame or packet level, there isn't any "read-only" attribute. (Actually, all frames and packets are "read-only" because to change any of the content you create a new frame or packet, you don't overwrite the original. Sometimes the new frame or packet is an exact copy of the original, sometimes it has been modified.)

However, if a device can identify something specific in the frame or packet, it can generally drop it.

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to MoeinClv

‎07-23-2019 11:52 AM

Hello Moein,

as explained by Joseph there are very few options at IPv4 level to verify a packet:

 

A router when routes an IPv4 packet performs two changes to the IPv4 packet header:

the TTL is decremented by 1

the IPv4 header checksum is recalculated as the complement to 1 of the bytes in the header.

In practice TTL field is decremented by 1 and IPv4 header checksum is incremented by 1.

 

And this all you can do at IPv4 just to check if the IPv4 header checksum is consistent on received packet.

But this checksum does not take in account the payload.

 

So the only way to provide protection from man in the middle attack is to use the IPSec framework and an IPSec VPN or an SSL VPN with TLS encryption.

IPv6 includes AH and ESP protocols as extension headers in the protocol definition but actually there is little change you still need to use it or SSL to provide a protected communication end to end.

 

Hope to help

Giuseppe

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card