Curtis wrote:
I've said many times that if security in your network is weak enough that you need to worry about LSRR packets you need to worry about security in your network.
Not at all. LSRR is a nice tool to mount practically untraceable flooding attack (hint -- just forge source address and spread intermediate points evenly across the network). Shutting you down may be exactly what the attacker wants. (LSRR attacks against service providers are particlularly bad -- just imagine somebody flooding you at T-1 speed and bouncing packets back and forth two dozen times. Poof -- here goes the T-3 :) There are particularly nasty man-in-the-middle attacks (which defeat one-time-password login authentication, like that) if you can combine LSRR with bogus routing.
The minute someone unpacks a Sun workstation, configures an IP address and sticks it on the ethernet without installing the security patches and doing the administrative work needed to secure the machine, if you had a small hole in your security with LSRR, you now have a gaping hole in your security. If you are relying on blocking LSRR, your security is a weak as the most peerly administered machine on your network. A real bad thing if you are constantly hiring.
I never argued that blocking LSRR plugs all security holes. However it is one thing _not_ used in normal operations; and everything not used _must_ be shut down by a prudent security. And, again, there are several LSRR-based attacks.
Even so, if anywhere, where you want LSRR turned off is the border router(s) in front of the machines used for operations, network management, etc.
Obviously you want your network to be secure even if LSRR was enabled for the reason I cited above.
Security Rule #1: You're never secure. Turning LSRR off doesn't particularly hurt connectivity, and is cheap. It's a way to _improve_ security. --vadim