IP Options

• Previous message (by thread): IP Options
• Next message (by thread): Bandwidth Upgrade
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Nov 17, 2011 at 10:17 AM, harbor235 <harbor235 at gmail.com> wrote:
> Sure, but mirroring a port on the edge may not be the best way to go, ACL
> hits and logs
> dumped to syslog may be the best approach. So if your capturing traffic how
> are you mitigating this traffic
> with minimal impact?
>

sorry, my question was: "Do you have some pcaps, I'd be interested in
seeing what sort of packets you are seeing with options added to
them."

I've seen things like mcast/pim/etc that will do this, and RSVP, I've
not seen in-the-wild packets with options being a 'problem', though in
theory they can be painful :(

Some vendor gear has 'no ip-options' as an option...(which is really,
'ignore ip options', I believe), some has the ability to filter based
on option(s).

-chris

> Mike
>
> On Thu, Nov 17, 2011 at 10:07 AM, Christopher Morrow
> <morrowc.lists at gmail.com> wrote:
>>
>> got pcaps?
>>
>> On Thu, Nov 17, 2011 at 10:04 AM, harbor235 <harbor235 at gmail.com> wrote:
>> > Is it just me or has there been an increase in packets with IP options
>> > set
>> > hitting
>> > our front door? There are ways to mitigate e.g. IP options selective
>> > discard, and ACL
>> > IP options support. ACL entries on the edge appear to be the best
>> > way identify and log the source.
>> > IP options selective discard drops packets silently so from my view they
>> > are not as effective.
>> >
>> > Is anyone doing anything else to identify and mitigate?  I have been
>> > seeing
>> > hits on our firewalls
>> > but would rather take care of it at our edge with little or no impact.
>> >
>> >
>> > Mike
>> >
>
>

• Previous message (by thread): IP Options
• Next message (by thread): Bandwidth Upgrade
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]