Access to the Internic Blocked

Fri Aug 23 02:02:21 UTC 1996

Curtis wrote:

>I've said many times that if security in your network is weak enough
>that you need to worry about LSRR packets you need to worry about
>security in your network.

Not at all.  LSRR is a nice tool to mount practically untraceable
flooding attack (hint -- just forge source address and spread
intermediate points evenly across the network).  Shutting you
down may be exactly what the attacker wants.

(LSRR attacks against service providers are particlularly bad --
just imagine somebody flooding you at T-1 speed and bouncing
packets back and forth two dozen times.  Poof -- here goes the
T-3 :)

There are particularly nasty man-in-the-middle attacks (which
defeat one-time-password login authentication, like that) if you
can combine LSRR with bogus routing.

>The minute someone unpacks a Sun workstation, configures an IP address
>and sticks it on the ethernet without installing the security patches
>and doing the administrative work needed to secure the machine, if you
>had a small hole in your security with LSRR, you now have a gaping
>hole in your security.  If you are relying on blocking LSRR, your
>security is a weak as the most peerly administered machine on your
>network.  A real bad thing if you are constantly hiring.

I never argued that blocking LSRR plugs all security holes.  However
it is one thing _not_ used in normal operations; and everything not
used _must_ be shut down by a prudent security.  And, again, there
are several LSRR-based attacks.

>Even so, if anywhere, where you want LSRR turned off is the border
>router(s) in front of the machines used for operations, network
>management, etc.

>Obviously you want your network to be secure even if
>LSRR was enabled for the reason I cited above.

Security Rule #1:  You're never secure.   Turning LSRR off doesn't
particularly hurt connectivity, and is cheap.  It's a way to _improve_
security.

--vadim