"Michael Painter" <tvhawaii@shaka.com> writes:
michael's colleague writes:
Most ISP routers (and I have seen configs for over 1000 of them and only seen source route blocked on less then 10 of these! [1]) do not filter source routing (ie no "no ip source-route" entry). As a result, source routed packets float about the Internet.
There are good reasons to allow source routed packets to pass through a backbone unfettered; among other things it can facilitate debugging of routing anomalies by a knowledgeable individual. ISPs by and large are in the business of hauling bits around; they are not in the business of implementing security policy for their customers. One which tried was Pilot Network Services Inc. They are no longer around. Victim of .bomb or fundamentally unsound business plan? We could conjecture on and on but this isn't the place for that. On the customer edge (ie, not the service provider's router) one can implement whatever security policy suits, and live with the consequences... good, bad, or indifferent. My personal opinion is that 1918 address space is not inherently worse or better than any other address space out there from which one could suffer an attack, and though stateful firewalls are a huge help (and equal opportunity for dropping bogus stuff regardless of src/dst addresses) anyone who is dependent on a {src_addr, src_port, dst_addr, dst_port, seqnum } tuple for established connection security ought to wake up and smell the coffee; it's almost 2008 - get your crypto on. My $0.02 ---Rob