What are people's feelings on loose source routing? The general sentiment around here is that it is a very evil thing. The reason I ask is that there is a certain network out there (who will remain nameless) who refuses to peer unless loose source routing is enabled. I can somewhat understand their reasoning (they can reroute traffic on OUR network as necessary) but the security implications far out way the benefits. Not only this I'm not comfortable with an outside source having control over routing on our network anyway. -Dave -- +------------------------------+ Dave McGaugh, CCNA Peering & IP Backbone Engineer Electric Lightwave, Inc. E-mail: dmcgaugh@eli.net Direct Dial: 360.816.3718 Fax: 360.816.3522 +------------------------------+
On Tue, Mar 06, 2001 at 09:49:47AM -0800, David McGaugh wrote:
What are people's feelings on loose source routing? The general sentiment around here is that it is a very evil thing. The reason I ask is that there is a certain network out there (who will remain nameless) who refuses to peer unless loose source routing is enabled. I can somewhat understand their reasoning (they can reroute traffic on OUR network as necessary) but the security implications far out way the benefits. Not only this I'm not comfortable with an outside source having control over routing on our network anyway.
Huh? The reason to permit this is to verify peering policy. This allows people to traceroute to verify packet path. Example: I announce 172.16.0.0/16 only. I want to verify that you are not pointing default at me, so I can do a loose source traceroute to 10.0.0.0 via the peering point. Most peoples peering policies that I'm aware of only required that it be enabled at the edge (peering/nap router). - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
It makes sense to require peers to allow LSTR through their peer's networks. Any badness that LSTR would allow seems to pale in comparison to A> Peer's need to check policy compliance and operational troubleshooting, and B> other nefarious things that can be done and not solved. -a Thus spake David McGaugh (david_mcgaugh@eli.net) on or about Tue, Mar 06, 2001 at 09:49:47AM -0800:
What are people's feelings on loose source routing? The general sentiment around here is that it is a very evil thing. The reason I ask is that there is a certain network out there (who will remain nameless) who refuses to peer unless loose source routing is enabled. I can somewhat understand their reasoning (they can reroute traffic on OUR network as necessary) but the security implications far out way the benefits. Not only this I'm not comfortable with an outside source having control over routing on our network anyway. -Dave -- +------------------------------+ Dave McGaugh, CCNA Peering & IP Backbone Engineer Electric Lightwave, Inc. E-mail: dmcgaugh@eli.net Direct Dial: 360.816.3718 Fax: 360.816.3522 +------------------------------+ Content-Description: Card for David McGaugh
What are people's feelings on loose source routing? The general sentiment around here is that it is a very evil thing. The reason I ask is that there is a certain network out there (who will remain nameless) who refuses to peer unless loose source routing is enabled. I can somewhat understand their reasoning (they can reroute traffic on OUR network as necessary)
false. the reason is that our noc can debug your routing problem without going through the problems of getting intelligent cooperation from your noc. randy
Thanks for all the great input, minus the somewhat uncivil comments of some! -Dave Randy Bush wrote:
What are people's feelings on loose source routing? The general sentiment around here is that it is a very evil thing. The reason I ask is that there is a certain network out there (who will remain nameless) who refuses to peer unless loose source routing is enabled. I can somewhat understand their reasoning (they can reroute traffic on OUR network as necessary)
false. the reason is that our noc can debug your routing problem without going through the problems of getting intelligent cooperation from your noc.
randy
-- +------------------------------+ Dave McGaugh, CCNA Peering & IP Backbone Engineer Electric Lightwave, Inc. E-mail: dmcgaugh@eli.net Direct Dial: 360.816.3718 Fax: 360.816.3522 +------------------------------+
false. the reason is that our noc can debug your routing problem without going through the problems of getting intelligent cooperation from your noc.
randy
Couldn't this be restricted to originate from certain hosts with certain identities? (Have the peer noc authenticate and then just log usage?) One side gains troubleshooting and policy verification the other gets non-repudiation and an audit trail. -bradly
From: "Walters" <bwalters@inet-direct.com> Date: Tue, 6 Mar 2001 21:19:26 -0600 Sender: owner-nanog@merit.edu
Couldn't this be restricted to originate from certain hosts with certain identities? (Have the peer noc authenticate and then just log usage?)
This is really not too useful. How you route to our NOC is not as important as how you route to our customers. That means LS packets need to have source addresses from fairly random places. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
Kevin wrote:
From: "Walters" <bwalters@inet-direct.com> Date: Tue, 6 Mar 2001 21:19:26 -0600 Sender: owner-nanog@merit.edu
Couldn't this be restricted to originate from certain hosts with certain identities? (Have the peer noc authenticate and then just log usage?)
This is really not too useful. How you route to our NOC is not as important as how you route to our customers. That means LS packets need to have source addresses from fairly random places.
More to the point, there is no COMPELLING REASON to perform such restriction. People who are afraid of LSRR should feel free to turn it off at their hosts. Operators who discover that their performance is degrading due to too much LSRR may have legitimate issues, but I think of them as "bridge that gap when we come to them" -type issues. (Obvious solutions include rate-limitting.) Personally, I think this is unlikely to happen ("famous last words"). --jhawk
participants (7)
-
Alan Hannan -
David McGaugh -
Jared Mauch -
John Hawkinson -
Kevin Oberman -
Randy Bush -
Walters