issues reg ICMP timestamp and address mask request

Greetings,

I am trying to understand the ICMP timestamp (type 13) queries .
There is a unix tool ICMP Query that can be used to send ICMP
type 13 message (TIMESTAMP) and type 17 messages( ADDRESS MASK
REQUEST) .

When I am sending ICMP type 13 queries on a Linux and Solaris
machine , it is giving me the exact time of the remote machine.
The following result shows that.

""
[root@gdrd5 ~]# icmpquery -t 172.16.1.2
172.16.1.2 :10:09:56
[root@gdrd5 ~]# icmpquery -t 172.16.1.2
172.16.1.2 :10:09:58
""

The result is matching the time on the remote machine.

But if I send the same request to a windows machine ,
I am getting results which I am not able to interpret.The
following are the results on a windows machine .

[root@gdrd5 ~]# icmpquery -t 172.16.16.31
172.16.16.31 : 08:52:31
[root@gdrd5 ~]# icmpquery -t 172.16.16.31
172.16.16.31 : 10:07:13
[root@gdrd5 ~]# icmpquery -t 172.16.16.31
172.16.16.31 : 19:43:24
[root@gdrd5 ~]# icmpquery -t 172.16.16.31
172.16.16.31 : 00:26:59

Also I am not getting any result when I am sending
ICMP type 17 messages (Address Mask) as the
following result shows .

[root@gdrd5 ~]# icmpquery -m 172.16.16.31
[root@gdrd5 ~]# icmpquery -m 172.16.1.2
[root@gdrd5 ~]# icmpquery -m 172.16.16.25
Unknown ICMP message received (type 17)

Is ICMP type 17 messages are not supported by OS these days .
Because I had stopped the firewall on these systems and
tried the test.But still not getting any reply for ICMP type 17
message.

Please help me in interpreting the ICMP timestamp result from a
windows machine and also the reason why there is no response
for ICMP Address Mask request.

Cheers
b zaman

[email]query.cdac@gmail.com[/email] writes:
[color=blue]
> But if I send the same request to a windows machine ,
> I am getting results which I am not able to interpret.The
> following are the results on a windows machine .[/color]

First, there's an escape clause in RFC-792 that says the other machine
doesn't *have* to use a standard timestamp. If so, it's supposed to
set the high order bit. It's possible that's what's happening here
(with or without the high order bit set).

More likely, though, is that the windows implementation is broken and
doesn't correctly byte swap the time stamp.
[color=blue]
> Is ICMP type 17 messages are not supported by OS these days .
> Because I had stopped the firewall on these systems and
> tried the test.But still not getting any reply for ICMP type 17
> message.[/color]

Only gateways (er, "routers", I mean) respond to ICMP type 17 messages.
End systems are actually not supposed to reply to them, although many
do.

-don

On Sep 12, 3:27 pm, don provan <dpro...@comcast.net> wrote:[color=blue]
> query.c...@gmail.com writes:[color=green]
> > But if I send the same request to a windows machine ,
> > I am getting results which I am not able to interpret.The
> > following are the results on a windows machine .[/color]
>
> First, there's an escape clause in RFC-792 that says the other machine
> doesn't *have* to use a standard timestamp. If so, it's supposed to
> set the high order bit. It's possible that's what's happening here
> (with or without the high order bit set).
>
> More likely, though, is that the windows implementation is broken and
> doesn't correctly byte swap the time stamp.
>[color=green]
> > Is ICMP type 17 messages are not supported by OS these days .
> > Because I had stopped the firewall on these systems and
> > tried the test.But still not getting any reply for ICMP type 17
> > message.[/color]
>
> Only gateways (er, "routers", I mean) respond to ICMP type 17 messages.
> End systems are actually not supposed to reply to them, although many
> do.[/color]

Greetings don ,

Thanks for the reply.
I tried to send ICMP type 17 messages to a router . But it is not
responding.
But the router is responding to ICMP Timestamp messages.

But I got a reply from a solaris machine when I send the ICMP type
17
messages .

[root@gdrd5 ~]# icmpquery -m 172.16.100.1
172.16.100.1 : 0xFFFF0000

Is it that for security reason most OS vendors disable this feature
in the
OS itself so that it does not respond to ICMP messages . But then the
question comes
Why solaris is responding to such request considering that UNIX are
considered to
be secure.
Please clearify......

Thanks in Advance.

[email]query.cdac@gmail.com[/email] writes:
[color=blue]
> I tried to send ICMP type 17 messages to a router . But it is not
> responding.[/color]

Well, it's not quite required. Type 17 wasn't in the original ICMP
spec, so it may have been overlooked, or someone decided it wasn't
worth it.
[color=blue]
> But the router is responding to ICMP Timestamp messages.[/color]

Timestamp *was* in RFC-792, and that spec generally makes it sound
like it's required.
[color=blue]
> But I got a reply from a solaris machine when I send the
> ICMP type 17 messages.[/color]

UNIX network code of all stripes tend to be routing capable, and many
act like routers even when they are not.
[color=blue]
> Is it that for security reason most OS vendors disable this
> feature in the OS itself so that it does not respond to ICMP
> messages.[/color]

That's my understanding, although you seem to be running more into the
fact that not everything is implemented everywhere.
[color=blue]
> But then the question comes Why solaris is responding to
> such request considering that UNIX are considered to be
> secure.[/color]

LOL! Good one! No, UNIX network has historically been something that
worries more about convenience and than security. Of course, there's a
lot of security on UNIX now in modern systems, but the legacy of
friendly openness left behind a distinct immunization against being
anal, so things such as ICMP that many didn't think was a serious
threat, so most UNIX's tend to respond, by default.
-don

In article <u8x78jl00.fsf@comcast.net>,
don provan <dprovan@comcast.net> wrote:
[color=blue][color=green]
>> Is it that for security reason most OS vendors disable this
>> feature in the OS itself so that it does not respond to ICMP
>> messages.[/color]
>
>That's my understanding, although you seem to be running more into the
>fact that not everything is implemented everywhere.
>[color=green]
>> But then the question comes Why solaris is responding to
>> such request considering that UNIX are considered to be
>> secure.[/color]
>
>LOL! Good one! No, UNIX network has historically been something that
>worries more about convenience and than security. Of course, there's a
>lot of security on UNIX now in modern systems, but the legacy of
>friendly openness left behind a distinct immunization against being
>anal, so things such as ICMP that many didn't think was a serious
>threat, so most UNIX's tend to respond, by default.[/color]

There is sense in that, but I'm concerned by what might be read as
support for the stupid idea that turning off ICMP responses has anything
to do with improving system or network security. There are plenty of
stupid frauds that call themselves security experts and consultants
that peddle that nonsense. If they were not stupid, they'd stay around
after getting their victims to turn off all of ICMP to charge for the
advice to turn back on the ICMP types whose lack causes blackholes and
other TCP problems.

Consider why a bad guy can or cannot do depending on whether 17 and 18
are disabled. Knowing the target's netmasks, a bad guy might play games
with directed broadcasts. However, the worst that disabled (or
unsupported) 17 and 18 cause for the bad guy is needing to make fewer
than a couple dozen guesses. There are some ICMP responses including
5 that are worrisome, but even they are quite valuable and should not
be blocked from their legitimate sources.


Vernon Schryver [email]vjs@rhyolite.com[/email]