Re: If you have nothing to hide
Thus spake <bdragon@gweep.net>
<snip>
our packets. While I'm certainly in favor of anything edge providers can do to eliminate denial of service attacks based on source-routing, I certainly don't want anything further. <snip>
denial of service based upon source routing? I hadn't heard of any denial of service attacks of that sort.
Disabling source-routing is like filtering icmp, sure you might block a few abuses, but more often than not, you are throwing out legitimate traffic.
I can't come up with any legitimate reason to use source-routed packets today. If your routers even support them, they probably consume orders of magnitude more processing power than normal packets; that is enough reason to disable source-routing, not to mention the security implications.
S
Validation of routing policy to ensure others aren't abusing you (pointing default, for example). As for orders of magnitude, once an IP option is in a packet, the damage is essentially done, otherwise looking up the path to an address in the options is no more impactive than looking up the address in the original destination field. source-routing only has security implications to those with defenses which permit traffic through some type of backdoor. The backdoor has more security implications than the source-routing, since it may be compromised in other manners.
Validation of routing policy to ensure others aren't abusing you (pointing default, for example). As for orders of magnitude, once an IP option is in a packet, the damage is essentially done, otherwise looking up the path to an address in the options is no more impactive than looking up the address in the original destination field.
Well, no. Not really. First off, following the 80/20 rule (or in this case 99.x/(100-99.x) rule) says that hardware implementations which get optioned packets punt them to software. This is at every hop. Second, the IP source route is a stack of IP addresses, which must be modified at every hop. This implies not just software forwarding, but also significantly more work than an IP lookup. eric
source-routing only has security implications to those with defenses which permit traffic through some type of backdoor. The backdoor has more security implications than the source-routing, since it may be compromised in other manners.
Validation of routing policy to ensure others aren't abusing you (pointing default, for example). As for orders of magnitude, once an IP option is in a packet, the damage is essentially done, otherwise looking up the path to an address in the options is no more impactive than looking up the address in the original destination field.
Well, no. Not really. First off, following the 80/20 rule (or in this case 99.x/(100-99.x) rule) says that hardware implementations which get optioned packets punt them to software. This is at every hop.
Second, the IP source route is a stack of IP addresses, which must be modified at every hop. This implies not just software forwarding, but also significantly more work than an IP lookup.
As I said, once the option is in the packet, the damage is done. If the performance sucks for the person using the source-routing, who cares, assuming packets without IP options are forwarded without delay. If I'm not mistaken, most (if not all) vendors still punt the packets with source-routing options to software, even if they end up dropping the packet due to administrative decision.
eric
On Mon, Aug 05, 2002 at 06:46:59PM -0400, bdragon@gweep.net wrote:
Validation of routing policy to ensure others aren't abusing you (pointing default, for example). As for orders of magnitude, once an IP option is in a packet, the damage is essentially done, otherwise looking up the path to an address in the options is no more impactive than looking up the address in the original destination field.
Well, no. Not really. First off, following the 80/20 rule (or in this case 99.x/(100-99.x) rule) says that hardware implementations which get optioned packets punt them to software. This is at every hop.
Second, the IP source route is a stack of IP addresses, which must be modified at every hop. This implies not just software forwarding, but also significantly more work than an IP lookup.
As I said, once the option is in the packet, the damage is done. If the performance sucks for the person using the source-routing, who cares, assuming packets without IP options are forwarded without delay.
You care...the more work you do in SW, the less time your SW has to do useful things like make sure the HW is talking to the control plane. This is either an argument for more HW support for optioned packets or less optioned packets on the network, depending on your perspective.
If I'm not mistaken, most (if not all) vendors still punt the packets with source-routing options to software, even if they end up dropping the packet due to administrative decision.
Yeah, generally, although it could certainly depend not only on vendor but on engine...:) eric
eric
participants (2)
-
bdragon@gweep.net
-
Eric Osborne