On Thu, Nov 17, 2011 at 10:17 AM, harbor235 <harbor235@gmail.com> wrote:
Sure, but mirroring a port on the edge may not be the best way to go, ACL hits and logs dumped to syslog may be the best approach. So if your capturing traffic how are you mitigating this traffic with minimal impact?
sorry, my question was: "Do you have some pcaps, I'd be interested in seeing what sort of packets you are seeing with options added to them." I've seen things like mcast/pim/etc that will do this, and RSVP, I've not seen in-the-wild packets with options being a 'problem', though in theory they can be painful :( Some vendor gear has 'no ip-options' as an option...(which is really, 'ignore ip options', I believe), some has the ability to filter based on option(s). -chris
Mike
On Thu, Nov 17, 2011 at 10:07 AM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
got pcaps?
On Thu, Nov 17, 2011 at 10:04 AM, harbor235 <harbor235@gmail.com> wrote:
Is it just me or has there been an increase in packets with IP options set hitting our front door? There are ways to mitigate e.g. IP options selective discard, and ACL IP options support. ACL entries on the edge appear to be the best way identify and log the source. IP options selective discard drops packets silently so from my view they are not as effective.
Is anyone doing anything else to identify and mitigate? I have been seeing hits on our firewalls but would rather take care of it at our edge with little or no impact.
Mike