barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec

• Previous message (by thread): barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec
• Next message (by thread): barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> traceroute/tcptraceroute show packet loss and MUCH higher rtt than the
> corresponding direct pings on the reported hop entries.
> 
> Is this some sort of massaging or plain just "faking it"? Or is such
> things merely net-urban myth?

the vast majority of routers on the internet respond very differently to
traffic 'directed at them' as opposed to traffic 'routed through them'.

many routers will punt traffic "at them" (such as icmp echo) to a low-priority
control-plane (software) stack to respond to.  this is vastly different to what
may well be a hardware (ASIC) based forwarding path.

many routers will also typically rate-limit the number of such queries they
respond to per second.  this may even be a tunable setting (e.g. CoPP on some
Cisco products).

i'd suggest that you don't try to read ANYTHING into comparing 'traceroute'
with end-to-end icmp echo.  nor that traceroute only shows one direction of
traffic.


if you have IPSec/SSH and/or TCP in general which simply "doesn't work right",
i suggest you first verify that the end-to-end MTU is appropriate.  my bet is
that it isn't, and that PMTUD isn't working as expected because of some
filtering and/or broken devices/configuration in the path.

try sending pings at 1500 byte packets with DF set & see if they get through.
my money is on they don't.



cheers,

lincoln.

• Previous message (by thread): barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec
• Next message (by thread): barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]