Loose Source Routing

• Previous message (by thread): Loose Source Routing
• Next message (by thread): Loose Source Routing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jared Mauch writes:

| 	The reason to permit this is to verify peering policy.  This
| allows people to traceroute to verify packet path.  Example:
| I announce 172.16.0.0/16 only.  I want to verify that you are not
| pointing default at me, so I can do a loose source 
| traceroute to 10.0.0.0 via the peering point.

Yes, this is one use of LSRR, but this can be accomplished through
a standard looking-glass, also, which in my opinion is a much better
requirement of one's potential peers (and suppliers).

The major cost to LSRR is not in security (LSRR doesn't open any new
attacks, it just makes some that require handshaking easier, when
IP addresses are used as "authentication"), but rather in slow-path
performance in some types of router/software combinations.

LSRR is a phenomenally useful feature that simply was never
popularized at the client level; few people used the 
"telnet @gateway1 at gateway2:destination" syntax in those telnets
that supported LSRR, and nearly no other clients offered any
way to construct LSRR, pace traceroute and some pings.

As a result, barely any effort goes into LSRR support in intermediate
systems (routers, gateways, NATs, you name it) -- vicious circle.

SSRR is even less well known/supported in the network.  On the
other hand, haha, that's what we have MPLS for (puke puke puke).

There is an important lesson here for people who suggest that route
optimization policy should be done on hosts rather than in the network.

	Sean.

• Previous message (by thread): Loose Source Routing
• Next message (by thread): Loose Source Routing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]