ICMP Attacks???????

Jon Green jcgreen at netins.net
Fri Aug 22 17:39:52 UTC 1997

On Thu, 21 Aug 1997 23:55:57 -0400 (EDT), woods at most.weird.com writes:
>[ On Thu, August 21, 1997 at 17:18:24 (-0500), Jon Green wrote: ]
>> Subject: Re: ICMP Attacks??????? 
>> I don't think that's a good idea.  The vast majority of routers that
>> I sell to customers are not used in Internet applications, and to add
>> another configuration step to enable the router to do what routers
>> traditionally do by default would be very confusing to the end user.
>Wait just one minute there.
>You're saying that Corporate America *relies* on being able to to
>IP source address spoofing through the routers it builds its commercial
>private networks with?

Well, I wasn't quite thinking here.  The original post had said
something about making a router check to see if a packet came from
a locally configured interface, which I said would not be a good
idea.  Obviously, though, for non-local networks the router would have
a route table entry to get back to it, even if it jumps through
three other routers.

That being said, we *could* have a configuration option that makes
a router check its routing table to make sure a packet coming in an
interface has a route back out that same interface.  This should
not be a default option, though, since there are often two paths
to a destination and the routing table may not match where the packet
came from.  That's not the best English, but you get it..

What would doubling the number of route table lookups do from a 
performance standpoint?  Since I would envision this as an edge-router
type thing, I would assume the impact would not be that great.


    *      Jon Green            *         "Life's a dance             *
   *   jcgreen at netINS.net       *          you learn as you go"        *
  *  Finger for Geek Code/PGP   *                                       *
 *  #include "std_disclaimer.h" * http://www.netins.net/showcase/jcgreen *

More information about the NANOG mailing list