Access to the Internic Blocked
curtis at ans.net
Thu Aug 22 15:53:47 UTC 1996
In message <199608220449.VAA00216 at quest.quake.net>, Vadim Antonov writes:
> On itself, LSRR is a godsend to hackers (i can think of about
> a dozen of very nasty attacks using general LSRR). The only
> useful application for it is traceroute.
> Why don't router vendors provide an option to turn it
> off for everything but ICMP ECHO?
I've said many times that if security in your network is weak enough
that you need to worry about LSRR packets you need to worry about
security in your network.
The minute someone unpacks a Sun workstation, configures an IP address
and sticks it on the ethernet without installing the security patches
and doing the administrative work needed to secure the machine, if you
had a small hole in your security with LSRR, you now have a gaping
hole in your security. If you are relying on blocking LSRR, your
security is a weak as the most peerly administered machine on your
network. A real bad thing if you are constantly hiring.
Even so, if anywhere, where you want LSRR turned off is the border
router(s) in front of the machines used for operations, network
management, etc. Obviously you want your network to be secure even if
LSRR was enabled for the reason I cited above.
More information about the NANOG