[CONTACT]

[ABOUT]

[POLICY]

The strange case of ICMP Type

Found at: gopher.blog.benjojo.co.uk:70/traceroute-haikus

 Traceroute Haiku’s
 ===

"The strange case of ICMP Type 69 on Linux"

"Anycast possibly done better"

"IP over AX.25 over 802.11 with ESP8266"

"I may be the only evil (bit) user on the internet"

"TOTP SSH port fluxing"

 Sometimes I like to think that I do "serious" blog posts
like "The strange case of ICMP Type 69 on Linux" or "Anycast
possibly done better". However I also do a lot of stupid ones like
"IP over AX.25 over 802.11 with ESP8266", "I may be the only
evil (bit) user on the internet" or "TOTP SSH port fluxing".
 This one definitely falls into the latter category.
 Traceroutes are a common network debugging diagnostic tool.
They (should) list every router that your packet travels through
to get to its final destination. Here is what it looks like
from my flat to my website:
 ```
 # traceroute6 benjojo.co.uk -q 1
 traceroute to benjojo.co.uk (2400:cb00:2048:1::6814:6110), 30
hops max, 80 byte packets
  1  switch0.home-edge.bone.benjojo.co.uk (2a07:1500:4663::2)
0.245 ms
  2  home-ipv6.choopa-lhr.bone.benjojo.co.uk (2a07:1500:1111::2)
 1.358 ms
  3  *
  4  2001:19f0:7400:8000::1 (2001:19f0:7400:8000::1)  1700.039
ms
  5  ldn-b3-link.telia.net (2001:2000:3080:dc1::1)  1.744 ms
  6  ldn-b5-v6.telia.net (2001:2000:3018:b::1)  1.968 ms
  7  cloudflare-ic-306325-ldn-b3.c.telia.net
(2001:2000:3080:a4b::2)  2.307 ms
  8  2400:cb00:21:1024::a29e:99be (2400:cb00:21:1024::a29e:99be)
 2.231 ms
 ```
 Traceroutes work using the `Time To Live` (for IPv4) or
`Hop Limit` (for IPv6) field.

IPv6 packet diagram

 IPv6 packet diagram
 The idea of this value is to stop packets from infinitely
going in circles in case of a fault in a network. For every
router a packet jumps though, this number is decreased.
 However to let the other side know that a packet was lost
in the manner, the router is supposed to return the packet
inside another packet to notify them:

IPv6 ICMP packet in wireshark

 IPv6 ICMP packet in wireshark
 The idea of traceroute is to purposely set this hop limit
very low and incrementally increase it upwards to discover all
routers in the path between you and the destination:

how a traceroute works gif

 how a traceroute works gif
 In addition, traceroute tools helpfully lookup the "reverse
DNS" of the IP address to find out more information about the
router. Even if placing reverse DNS on these IP addresses is
entirely optional, most operators do set it to help their clients
debug things.
 Critically, if you own an IP block you can point the
reverse DNS to whatever you want (most hosting providers let you
edit their zone file though, though some of them validate the
records you provide). People have used that and this common feature
of traceroute to build fun addresses to trace that often spell
out funny things, one example being `bad.horse`:
 ```
 ben@metropolis:~$ traceroute bad.horse --resolve-hostnames -q 1
-f 20
 traceroute to bad.horse (162.252.205.157), 64 hops max
   1   162.252.205.3 (t01.nycmc1.ny.us.sn11.net)  91.633ms
   2   162.252.205.130 (bad.horse)  92.802ms
   3   162.252.205.131 (bad.horse)  97.476ms
   4   162.252.205.132 (bad.horse)  104.194ms
   5   162.252.205.133 (bad.horse)  107.089ms
   6   162.252.205.134 (he.rides.across.the.nation)
111.847ms
   7   162.252.205.135 (the.thoroughbred.of.sin)  117.324ms
   8   162.252.205.136 (he.got.the.application)  121.631ms
   9   162.252.205.137 (that.you.just.sent.in)  129.549ms
  10   162.252.205.138 (it.needs.evaluation)  132.131ms
  11   162.252.205.139 (so.let.the.games.begin)  138.446ms
  12   162.252.205.140 (a.heinous.crime)  145.218ms
  13   162.252.205.141 (a.show.of.force)  146.721ms
  14   162.252.205.142 (a.murder.would.be.nice.of.course)
151.821ms
  15   162.252.205.143 (bad.horse)  156.510ms
  16   162.252.205.144 (bad.horse)  161.704ms
  17   162.252.205.145 (bad.horse)  166.850ms
  18   162.252.205.146 (he-s.bad)  171.846ms
  19   162.252.205.147 (the.evil.league.of.evil)  180.018ms
  20   162.252.205.148 (is.watching.so.beware)  187.773ms
  21   162.252.205.149 (the.grade.that.you.receive)
188.834ms
  22   162.252.205.150 (will.be.your.last.we.swear)
191.852ms
  23   162.252.205.151 (so.make.the.bad.horse.gleeful)
196.578ms
  24   162.252.205.152 (or.he-ll.make.you.his.mare)
202.037ms
  25   162.252.205.153 (o_o)  207.124ms
  26   162.252.205.154 (you-re.saddled.up)  211.627ms
  27   162.252.205.155 (there-s.no.recourse)  219.691ms
  28   162.252.205.156 (it-s.hi-ho.silver)  222.107ms
  29   162.252.205.157 (signed.bad.horse)  225.336ms
 ```
 Or Louis Poinsignon (https://www.mygb.eu), who made a version
of his CV/Resume for traceroute!
 ```
 # mtr -rwc 1  cv6.poinsignon.org
 Start: Mon Sep  4 14:27:22 2017
 HOST:
              Loss%
   1.|-- switch0.home-edge.bone.benjojo.co.uk
0.0%
   2.|-- Benjojo-2.tunnel.tserv17.lon1.ipv6.he.net     0.0%
   3.|-- 10ge3-3.core1.lon2.he.net
    0.0%
   4.|-- 100ge6-2.core1.ams1.he.net
    0.0%
   5.|-- amsix.poneytelecom.eu
      0.0%
   6.|-- 2001:bc8:0:1::131
        0.0%
   7.|-- 2001:bc8:400:1::32
        0.0%
   8.|-- hello
              0.0%
   9.|-- My.name.is.Louis.Poinsignon
   0.0%
  10.|-- I.am.a.network.and.systems.Engineer
0.0%
  11.|-- This.is.my.resume.over.traceroute
0.0%
  12.|-- o---Experience---o
       0.0%
  13.|-- 2017.Cloudflare.NetworkEngineer.London
0.0%
  14.|-- 2016.Cloudflare.NetworkEngineer.Intern.SF     0.0%
  15.|-- 2015.CEA.SoftwareEngineer.Intern.France       0.0%
  16.|-- 2014.Android.dev.Remote
     0.0%
  17.|-- o---Education---o
        0.0%
  18.|-- 2015-2016.DrexelUni.Exchange.CE.Philadelphia  0.0%
  19.|-- 2011-2016.UTT.Master.CE.France
 0.0%
  20.|-- o---Skills---o
         0.0%
  21.|-- C.Java.Python.Maths
       0.0%
  22.|-- Net.Linux.Archicture
      0.0%
  23.|-- Statistics.Maths.Design.Photoshop
0.0%
  24.|-- o---Various---o
         0.0%
  25.|-- Swimming.and.karate
       0.0%
  26.|-- Piano
              0.0%
  27.|-- o---Contact---o
         0.0%
  28.|-- mail.jobs.at.poinsignon.org
   0.0%
  29.|-- cv6.poinsignon.org
       0.0%
 ```
 I can think of two ways this can be done: either chain
lots of fake interfaces inside a single system and use that as
"router hops", or augment the whole thing with user space
networking to generate the fake expiry messages to make it seem like
there are routers in the path that are not there.

stand back i'm going to do user space networking or science (xkcd)

 stand back i'm going to do user space networking or
science (xkcd)

TUN/TAP

 To do this today, I am going to use a built in system
inside linux called TUN/TAP. This is the system used to make VPNs
work. The idea is that it can make a "network port" on your
computer, that instead of going to a physical section of hardware,
goes instead to a program that handles the packet.
 The idea is to write a simple network adapter that would
insert 4 fake router hops for any packet destined for an address
ending in 4.

Haiku

 With these fake 4 router hops, I can fit 4 small
sentences in the reverse DNS entries of the IP addresses. I opted
to show a Haiku since they are small, typically 3 sentences,
and we can find lots of them:
 >whitecaps on the bay
 >
 >the overhead cries
 >
 >of migrating birds
 >
 >Polona Oblak
 I could turn this into:
 >Whitecaps.on.the.bay
 >
 >The.overhead.cries
 >
 >Of.migrating.birds
 >
 >author.Polona.Oblak
 I then wrote the networking config to route a /48 of IPv6
space to a Raspberry Pi on my shelf, and got to writing the
TUN adapter. The idea was to do something like this:

networking stack diagram

 networking stack diagram
 Thankfully the process to generate "TTL/Hop limit expired"
packets is fairly easy, and you can find the code to do this
here:
https://github.com/benjojo/traceroute-haiku/blob/master/haiku-tun/main.go
 All wrapped up in a basic systemd service and we are good
to go:
 ```
 [Service]
 Type=simple
 ExecStart=/usr/bin/haiku-tun
 ExecStartPost=/bin/sleep 2
 ExecStartPost=/sbin/ifconfig haiku0 up
 ExecStartPost=/bin/ip -6 addr add 2a07:1500:c::1 dev haiku0
 ExecStartPost=/bin/ip -6 route add 2a07:1500:c::/64 dev
haiku0
 ExecStartPost=/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
 Restart=always
 StandardOutput=syslog
 StandardError=syslog
 SyslogIdentifier=haiku
 User=root
 [Install]
 WantedBy=multi-user.target
 ```

www.dailyhaiku.org

a small go program

 I then scraped all of www.dailyhaiku.org (sorry!) using Lynx
and a bash loop, and then wrote a small go program to
generate the required BIND zone file entries:
 ```
 ben@metropolis:~/traceroute-haiku/haikus$ ./haikus | more
 2017/09/05 23:59:04 # We found 3078 haikus
0.0.0.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.0.0.0.0.5.1.7.0.a.2.ip6.arpa.        10        IN        PTR
haiku-trace.x.benjojo.co.uk.
1.0.0.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.0.0.0.0.5.1.7.0.a.2.ip6.arpa.        10        IN        PTR
balmy.breeze.
2.0.0.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.0.0.0.0.5.1.7.0.a.2.ip6.arpa.        10        IN        PTR
swarming.bees.circle.
3.0.0.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.0.0.0.0.5.1.7.0.a.2.ip6.arpa.        10        IN        PTR
the.river.bank.
4.0.0.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.0.0.0.0.5.1.7.0.a.2.ip6.arpa.        10        IN        PTR
author.olona.blak.
 ```

some basic bash script

 After that, some basic bash script to rotate every minute
the addresses that `haiku-trace.x.benjojo.co.uk` resolve to, to
ensure that you have fresh ones every time, and we are away!

haiku trace on windows

 haiku trace on windows

haiku trace with linux and mtr

 haiku trace with linux and mtr
 All served from this precariously hanging pi in my living
room :)

the pi powering it all, hanging from it's POE adapter

 the pi powering it all, hanging from it's POE adapter


AD: