not rewriting next-hop, pointing default, ...

Thu Sep 11 22:55:38 UTC 1997

On Thu, Sep 11, 1997 at 03:45:22PM -0700, Ran Atkinson wrote:
> On Sep 11 15:23, Randy Bush wrote:
> } Subject: Re: not rewriting next-hop, pointing default, ...
> 
> % I also think it may be time we refuse to peer with anyone
> % who inhibits LSR, as it seems that validation is now mandatory.
> % I think we should be sending out a "LSR is mandatory" notice
> % to our peers.  Comments?
> 
> LSR is actually a significant security issue.  So, while I do
> understand and am sympathetic to the operational debugging
> issues that LSR addresses, I think that requiring a peer to
> enable LSR more than 2 hops inside their network from the
> outside world is unreasonable.
> 
> In a world where SSH were available in cisco routers and/or
> IPsec were more widely deployed, I might have different views.
> However, we are where we are.
> 
> Regards,
> 
> Ran
> rja at home.net

I'd love to be able to reasonably run with LSR enabled.

However, we then become the "bounce point" for all kinds of fun stuff,
including denial of service attacks launched against *OTHERS*.

Its off at our entrance routers for this reason.  If EVERY provider shut 
it off EXCEPT on the core (ie: it was on where only network personnel could
get to and use it) I wouldn't mind.  But with it on all the way to the end
customer circuit in many cases enabling it on your core can create some
serious security problems.

We *used* to run with it on, and shut it off for exactly this reason.  

--
-- 
Karl Denninger (karl at MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/~karl     | T1's from $600 monthly to FULL DS-3 Service
			     | NEW! K56Flex modem support is now available
Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines!
Fax:   [+1 312 803-4929]     | 2 FULL DS-3 Internet links; 400Mbps B/W Internal