Joseph S D Yao wrote:
On Mon, Sep 25, 2006 at 09:22:34AM -0400, Patrick W. Gilmore wrote: ...
Who thinks it would be a "good idea" to have a knob such that ICMP error messages are always source from a certain IP address on a router?
...
I've sometimes thought it would be useful when I wanted to hide a route. But security via obscurity just makes it that much harder to fix something. Many more times than this would have been useful, I've been able to identify at which router a problem was by a 'traceroute' that told me into which router by which interface I was going. When the owner of the router might not even have known. Or I have had attempts to do this foiled by routers that used an internal loopback IP address. On the whole, then, I guess I would vote, "no".
Why not just do a show ip route? since you can actually verify the information against your routing table. This way you can see when the route was learned, where was it learned from and how long ago it was last updated... the problem is that too many people "engineers" rely on traceroute... sure traceroute is a wonderful tool, however it is meant to assist you in "tracking down" the problem. I've seen far too many "you are filtering, investigate please" when all that has been done is implementing acls and rate limiting. IMO, If you want to implement a non-routable ip space to protect your backbone... go for it if you want to icmp rate limit *i know level3 does this out of both nyc and la* which causes mass threads of "we are getting packet loss, please investigate" go for it .. if your network engineers are not equipped with the information to how to fully diagnose a network/problem.... you should think about new hires. Cheers, Payam