Sean M. Doran <smd@clock.org> wrote:
How does a security policy of "turn off LSR handling" translate into anything other than an admission of completely missing the point that one should never ever ever ever trust any data based soley on where the network leads one to believe it has come from?
Hey, LSR is useful for all kinds of very interesting denial of service attacks. A clever combination of LSR and forged source addresses may make the attack virtually untraceable.
Turning off a useful but under-implemented network service...
Useful for what? traceroute -g is the _only_ useful application for LSR. Disabling LSR and adding an application level service for tracing back would be just as useful.
Quoting Radia Perlman:
"The goal is to design a network that will guarantee that a packet transmitted between two nonfaulty end systems A and B will have a high probability of being delivered, provided that at least one path consists of nonfaulty components connects the two end systems. [...] The network layer makes no attempt to keep conversations private. If privacy is necessary, encryption must be done at a higher layer. Also, the network layer need not certify data that it delivers. For instance, it is possible for some malicious node C to generate data, get it delivered to B, and claim that the data was from A. It is up to the higher layer in B to differentiate between corrupted or counterfeit data and real data, using known cryptographic techniques".
Encryption is an overkill for 99% of all applications. Disabling LSR and doing SA filtering can take care of _most_ security problems. And it is computationally cheap.
The proposal to turn off LSRR is a tremendously incomplete proposal to have the network certify the validity of the origin, at the cost of some additional utility and robustness from the point of view of end systems.
I would wholeheartedly agree with that proposal, if some useful substitute for traceroute -g is provided. This will not make the network absolutely secure (there ain't no such thing as absolute security), but it definitely will make it _more_ secure.
In any event I don't think that disabling LSRR in any way makes networking equipment more robust, and that is what you appear to be arguing.
To make equipment more robust you may want to use gold-plated connectors, have redundant power, etc. I love playing dumb :)
I will note that its none of someone else's business what one's internal topology looks like.
Sure it is. Or rather, it is useful to be able to infer a number of path characteristics between two communicating endpoints for such things as flow control and route selection.
That should be a matter of preference. Knowing network topology of a large corporation can give tremendous amounts of information about the corporation's structure and give clues to what projects the company's working on. Connection analysis is an old and venerable intelligence tool.
Networks and computers exist to offer services to users, and obscuring information that makes service use or selection difficult is a poor policy.
Hey. What information to disclose should be a voluntary choice.
How does LSR reduce network availability except in the case of implementations that slow-switch option-ridden IP datagrams and have no equivalent of SPD, or intermediate systems (gee, it's OSIspeek day, isn't it?) that don't use reasonable means to authenticate and keep private things like routing information exchanges or management sessions{
How'd you like to get a stream of nasty bogons aimed at your router(s) and arriving from virtually all directions? There's a number of ways to kill ciscos with pretty low-rate streams. --vadim
traceroute -g is the _only_ useful application for LSR. Disabling LSR and adding an application level service for tracing back would be just as useful.
Vadim. I am just a stoopid operator with a network to run. I am not at all cheered by trading a tool that works for a theory that could be designed and implemented some day. Until inter-NOC operation is facile, we have few tools for debugging inter- provider routing problems. So we use what we have although we realize that they have flaws. Not to discourage you and others from developing better tools. Please! randy
On Sat, 13 Sep 1997, Randy Bush wrote:
traceroute -g is the _only_ useful application for LSR. Disabling LSR and adding an application level service for tracing back would be just as useful.
Vadim. I am just a stoopid operator with a network to run. I am not at all cheered by trading a tool that works for a theory that could be designed and implemented some day.
I hate to spoil this nice "but it works" line but the reality is that enabled LSR is dangerous, therefore unless it is required for day-to-day operations, it should not be enabled. The line "that allows me to see what is going on in routers of my peers" is not something that could be considered acceptable based on a security policy. Randy, would you mind giving your peers access to your routers so they can see how you configured your own routers just to make sure that it is configured "right"? No? Why not? It is because you consider that they do not need to know how you route traffic on your backbone?
Until inter-NOC operation is facile, we have few tools for debugging inter- provider routing problems. So we use what we have although we realize that they have flaws.
That is up to the NOC you deal with. Just because you decide that you want them to do it that way, does not mean that their security policy allows them to do it. As far as attacks that utilize source routing go, as soon as I finish the Wargames tutorial for NETSEC97, I would be glad to take a day and write a complete description of how to make life of networks with LSR enabled very inconvinient. Best wishes, Alex ----------------------------------------------------------------------------- Alex "Mr. Worf" Yuriev Nationwide ISP Bandwidth: [www.netaxs.net] Net Access Outsourced News Reading: [www.newsread.com ] alex@{netaxs.com|yuriev.com} Outsourced Shell Accounts: [shellaccounts.com] RIP is irrelevant. Spoofing is futile. Your routes will be aggregated. -----------------------------------------------------------------------------
Randy, would you mind giving your peers access to your routers so they can see how you configured your own routers just to make sure that it is configured "right"?
No.
No? Why not? It is because you consider that they do not need to know how you route traffic on your backbone?
No.
That is up to the NOC you deal with. Just because you decide that you want them to do it that way, does not mean that their security policy allows them to do it.
Not a problem, as I do not have to peer with them. randy
participants (3)
-
Alex "Mr. Worf" Yuriev -
Randy Bush -
Vadim Antonov