Router modifications to deal with smurf
-----BEGIN PGP SIGNED MESSAGE----- Fun with my mailor, let me try this again. So, if someone, or possibly a group of someones, were to make the following request to the various router vendors, would they be met with approval by most of the readers? We requests that your routers be configurable, at the interface level, to prevent the forwarding of an ICMP echo-request packet through an interface that has a broadcast or wire address that matches the destination address of that packet. We also request that the default configurations of your routers be modified to prevent said forwarding. We request that your routers be configurable, both globally and and the interface level, with the interface configuration overiding the global configuration, to prevent the forwarding of an IP packet with a source network address different from the network address of the interface on which it was received. We also request that the default configurations of your routers be modified to prevent, globally, said forwarding. - -- Rusty Zickefoose | The most exciting phrase to hear in science, rusty@mci.net | the one that heralds new discoveries, is not | "Eureka!", but "That's funny ..." | -- Isaac Asimov -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNUJVpe4+ch/bGDylAQH3uAP/ZHRdlufm9gbTUalVC9ax0H/nK7W/4S9r QLuSEfh9N8nHTbd4wSllB2GorzM46A0XFZCKAmUWzc5wFKL5lfjGbbu6Tfd8UUOF lxTQJYdda2ikmbLLBr8p+cUnb6BQLsA81Tst2twDc2BCf8GQsjxZvrCwh8sLCACe q47YHAChVLk= =htio -----END PGP SIGNATURE-----
We requests that your routers be configurable, at the interface level, to prevent the forwarding of an ICMP echo-request packet through an interface that has a broadcast or wire address that matches the destination address of that packet.
Modifications that cause the forwarding path to behave differently for some type of packets are *bad*. ICMP echo-requests should be treated identically to other sorts of packets. If you s/an ICMP echo-request/an IP/, then you have the same as "no ip directed-broadcast". Your wording is sufficiently vague such that I can't tell if that's what you meant or not. I don't know if you're trying to avoid being cisco-specific, or if you're being vague for some other reason.
We also request that the default configurations of your routers be modified to prevent said forwarding.
I don't have a problem with this.
We request that your routers be configurable, both globally and and the interface level, with the interface configuration overiding the global configuration, to prevent the forwarding of an IP packet with a source network address different from the network address of the interface on which it was received. We also request that the default configurations of your routers be modified to prevent, globally, said forwarding.
I'd be concerned that having this as a default is not necessarily the right thing in sufficiently large numbers of situations as to make this a bad idea. --jhawk
On Sun, Apr 26, 1998 at 05:59:42PM -0400, John Hawkinson wrote:
We request that your routers be configurable, both globally and and the interface level, with the interface configuration overiding the global configuration, to prevent the forwarding of an IP packet with a source network address different from the network address of the interface on which it was received. We also request that the default configurations of your routers be modified to prevent, globally, said forwarding.
I'd be concerned that having this as a default is not necessarily the right thing in sufficiently large numbers of situations as to make this a bad idea.
I know we've collectively been here before, but is it not a reasonable assumption that people whose routing patterns might be assymetrical enough to break this as a default should be expected to be bright enough to switch it off? Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Two words: Darth Doogie." -- Jason Colby, Tampa Bay, Florida on alt.fan.heinlein +1 813 790 7592 Managing Editor, Top Of The Key sports e-zine ------------ http://www.totk.com
On Sat, 25 Apr 1998, Rusty Zickefoose wrote: ==> So, if someone, or possibly a group of someones, were to make the ==>following request to the various router vendors, would they be met with ==>approval by most of the readers? ==> ==> We requests that your routers be configurable, at the interface ==>level, to prevent the forwarding of an ICMP echo-request packet through an ==>interface that has a broadcast or wire address that matches the ==>destination address of that packet. We also request that the default ==>configurations of your routers be modified to prevent said forwarding. This is against RFC 1812. RFC 1812, "Requirements for IP Version 4 Routers", Section 5.3.5, specifies: --- A router MAY have an option to disable receiving network-prefix- directed broadcasts on an interface and MUST have an option to disable forwarding network-prefix-directed broadcasts. These options MUST default to permit receiving and forwarding network-prefix- directed broadcasts. --- Someone has stated before that editor(s) of said RFC are aware of this and have discussed the change in default. Note that I'm not arguing that it *should* be the default, I'm just arguing that vendors have implemented it this way because that's the way they were told to in the RFC. If after reading http://www.quadrunner.com/~chuegen/smurf.txt, you think that I believe directed-broadcasts should be on by default, go back and read agian. =) Now, since this has been beaten past the jelly stage, can we please put the topic to sleep? Thank you. /cah
Lucent/Livingston has pointedly ignored just this RFE request for over a year. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost On Sat, Apr 25, 1998 at 05:29:02PM -0400, Rusty Zickefoose wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Fun with my mailor, let me try this again.
So, if someone, or possibly a group of someones, were to make the following request to the various router vendors, would they be met with approval by most of the readers?
We requests that your routers be configurable, at the interface level, to prevent the forwarding of an ICMP echo-request packet through an interface that has a broadcast or wire address that matches the destination address of that packet. We also request that the default configurations of your routers be modified to prevent said forwarding.
We request that your routers be configurable, both globally and and the interface level, with the interface configuration overiding the global configuration, to prevent the forwarding of an IP packet with a source network address different from the network address of the interface on which it was received. We also request that the default configurations of your routers be modified to prevent, globally, said forwarding.
- -- Rusty Zickefoose | The most exciting phrase to hear in science, rusty@mci.net | the one that heralds new discoveries, is not | "Eureka!", but "That's funny ..." | -- Isaac Asimov
-----BEGIN PGP SIGNATURE----- Version: 2.6.2
iQCVAwUBNUJVpe4+ch/bGDylAQH3uAP/ZHRdlufm9gbTUalVC9ax0H/nK7W/4S9r QLuSEfh9N8nHTbd4wSllB2GorzM46A0XFZCKAmUWzc5wFKL5lfjGbbu6Tfd8UUOF lxTQJYdda2ikmbLLBr8p+cUnb6BQLsA81Tst2twDc2BCf8GQsjxZvrCwh8sLCACe q47YHAChVLk= =htio -----END PGP SIGNATURE-----
participants (5)
-
Craig A. Huegen -
Jay R. Ashworth -
John Hawkinson -
Karl Denninger -
Rusty Zickefoose