Who does source address validation? (was Re: what's that smell?)

Thu Oct 10 15:53:18 UTC 2002

On Thu, Oct 10, 2002 at 01:06:15AM -0400, Valdis.Kletnieks at vt.edu wrote:
> On Wed, 09 Oct 2002 23:05:59 BST, "Stephen J. Wilcox" said:
> 
> > On a related issue (pMTU) I recently discovered that using a link with MTU <
> > 1500 breaks a massive chunk of the net - specifically mail and webservers who
> > block all inbound icmp.. the servers assume 1500, send out the packets with DF
> 
> My personal pet peeve is the opposite - we'll try to use pMTU, some
> provider along the way sees fit to run it through a tunnel, so the MTU
> there is 1460 instead of 1500 - and the chuckleheads number the tunnel
> endpoints out of 1918 space - so the 'ICMP Frag Needed' gets tossed at
> our border routers, because we do both ingress and egress filtering.  
> It's bad enough when all the interfaces on the offending unit are
> 1918-space, but it's really annoying when the critter has perfectly good
> non-1918 addresses it could use as the source... Argh...

Ok, I know how this manages to rile people up, but might I suggest that
you brought it upon yourself?

There is a time and a place for messages sourced from addresses to which
you cannot reply, and a time and place where those messages should not
exist. Obviously, a dns *QUERY* is not the place for a message which
cannot be returned. But what about an ICMP *RESPONSE*? Nothing depends
upon the source address of the IP header for operation, the original
headers which caused the problem are encoded in the ICMP message.

And yet people are so busy concerning themselves with this mythical "thing
which might break from receiving ICMP overlapping existing internal 1918
space", the extra 0.4% of bandwidth which might be wasted, and the
righteous feeling that they have done something useful, that they don't
stop to realize *THEY* are the ones breaking PMTU-D.

I'm sure we can all agree on at least the concept that sourcing packets
from an address which cannot receive a reply is at least potentially
useful, for example to avoid DoS against a critical piece of
infrastructure. Would it make people feel better if there was a specific
seperate non-routed address space reserved for "router generated messages
which don't want replies"? Why?

Even Windows 2000+ includes blackhole detection which will eventually
remove the DF bit if packets aren't getting through and ICMP messages
aren't coming back, something many unixes lack. But the heart of the
problem is that people still push packets like every one must include the
maximum data the MTU can support. Do we have any idea how much "network
suffering" is being caused by that damn 1500 number right now? Aside from
the fact that it is one of the worst numbers possible for the data, it
throws a major monkey wrench in the use of tunnels, pppoe, etc. Eventually
we will realize the way to go is something like "4096 data octets, plus
some room for headers", on a 4470 MTU link. But if the best reason we can
come up with is ISIS, the IEEE will just keep laughing.

</rant>

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)