I'll once again suggest adopting an extended router-to-router record route option which holds more info, more addresses than the current IP spec calls for that is, and is only used between routers trunc'd off on exit (well, configurable, of course.) Obviously then one has to get it into router software and turned on but that's nothing new as a problem whenever new technology is being adopted. One useful feature is that it'd probably be difficult in most environments for the villain to know which sites support this tracing and which don't, since they probably can't see traffic on the router, and the info is removed when it leaves (e.g. hits their PPP session.) Then if there's an attack one would only have to get the extended RR info from the router or routers the attack is coming through on your side to trace it back to a source router, and with luck could do something with that info. Even partial info, such as when it goes back through to a router which doesn't support this, should often be of some use. -- -Barry Shein Software Tool & Die | bzs@world.std.com | http://www.world.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*