SRX

I'm trying to understand the difference between some default applications defined in Junos.

One typical example is junos-ping and junos-icmp-ping.

If I do a "show configuration groups junos-defaults applications", I get the following:

# ICMP Ping.
#   The echo-reply is allowed upon return
#
application junos-icmp-ping {
    term t1 protocol icmp icmp-type echo-request;
}

and

#
# Ping  protocol
#
application junos-ping {
    term t1 protocol 1;
}

In trying to figure out protocol numbers, I came across this. so If protocol 1 is in fact ICMP, then does that mean that "term t1 protocol 1" is the same as "term t1 protocol icmp" ?

For now, I've been using junos-ping rather than junos-icmp-ping but would like to understand the difference (if any) between them.

Thanks

Hi,

This page might help you:

http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-security/id-89992.html

Yes protocol 1 and protocol icmp are the same. The junos-icmp-ping further qualifies that by narrowing the icmp protocol to just echo-request messages. junos-ping is broader and matches on all icmp messages.

Thanks YNG for the link.

So, in that case, isn't icmp-ping in fact the same resulting application as:

# ICMP All Traffic
#   This can be made to be more restrictive by specifying icmp
#   type and code.
#
application junos-icmp-all {
    term t1 protocol icmp;
}

In which case why have two different definitions for exactly the same thing?

---

@xavierwalker wrote:

Thanks YNG for the link.

 

So, in that case, isn't icmp-ping in fact the same resulting application as:

 

# ICMP All Traffic
#   This can be made to be more restrictive by specifying icmp
#   type and code.
#
application junos-icmp-all {
    term t1 protocol icmp;
}

 

In which case why have two different definitions for exactly the same thing?

---

You are correct, though you put the wrong application name, I know what you meant.

In a nutshell:

junos-ping and junos-icmp-all are functionally equivalent.  They both permit any/all ICMP traffic.

I believe that this is an error in Junos.  'ping' should not equate to 'all.'  junos-ping may be a legacy holdover or old code?

junos-icmp-ping permits ping requests.  The comment states that replies are allowed upon return, which I find interesting.  That seems sort of like a mini-ALG, since an echo-request is protocol 1 type 8 (echo), and a ping response is protocol 1 type 0 (echo reply).

Any Juniper engineers care to weigh in here?

Thanks Keith. You've confirmed my suspicions on this, although I used the wrong application name? What I wanted to clarify was that junos-ping != junos-icmp-ping but in fact junos-ping = junos-icmp-all

Handy there's a replace pattern function in Junos 🙂

Hi keithr and All

>junos-icmp-ping permits ping requests.  The comment states that replies are allowed upon return, which I find interesting.  That >seems sort of like a mini-ALG, since an echo-request is protocol 1 type 8 (echo), and a ping response is protocol 1 type 0

>(echo reply).

I think "junos-icmp-ping" isn`t only a echo-request and echo-reply protocol. 

In my Customer I`ve to permit only A -> B the imp-type 8 (echo) icmp-code 0 and the reply that would be 

A <- B icmp-type 0 icmp-code 0.

But however, adding a policy using "junos-icmp-ping" permits not only pings but also will be permiting 

tracerts replys that will be using icmp-type 11 and icmp-code 0.......

I think maybe using a ACL rather than a Policy ( that is statefull) could solve this issue...

maybe...

have to test..

Regards

This