not rewriting next-hop, pointing default, ...
Sean M. Doran
smd at clock.org
Sat Sep 13 20:44:58 UTC 1997
"Alex.Bligh" <amb at xara.net> writes:
> Failing this, the ability to disable responding to packets (*)
> with source route set on the Cisco *host* TCP/IP stack
> (and continue to forward them),
Mourn the death of TUBA telnet... :)
What you might want is to make sure that management
functions can only happen over a separate private IP
network. This has been a long-time engineering goal of
one network at some priority or other.
Then, some protection for routing protocols to make them
both more robust and more secure, and life is a bit nicer.
(Although taking an axe to all the routing protocols in
use today has a strong appeal, actually, but that'll come
later...)
Unfortunately, though, in the absence of a method to query
routers about their forwarding (i.e., "what would you do
with this traffic profile?"), route calculation and NLRI
redistribution policies, any tool which can help infer
that from anywhere in the Internet is of use.
I hate traceroute, I think it's a dreadful hack, and it is
really hard to use it correctly for all sorts of reasons,
lots of them having to do with the observer problem. LSRR
helps enormously, and has been of critical use in the
past. Killing it off to provide some warm fuzzies to
operators who are still going to be exposed to lots of
serious attacks on their routers and hosts strikes me as
nearly as unreasonable as simply turning off routers and
encasing them in concrete to make them safe.
What would be REALLY nice is if lots of new hardware and
software that doesn't keel over dead or use a really slow
path to forward packets decorated with the LSRR option
were deployed in everyone's networks.
Sean.
More information about the NANOG
mailing list