icmp rpf

william(at)elan.net william at elan.net
Mon Sep 25 18:47:44 UTC 2006


On Mon, 25 Sep 2006, Chris Adams wrote:

> Once upon a time, Mark Kent <mark at noc.mainstreet.net> said:
>> I think this is an important point to make because of my interaction
>> with small.net.  When I pointed out the timeouts they said that it was
>> because they don't announce the router IP addresses, which is true but
>> not the whole story.  I mentioned that some providers in the past
>> numbered on rfc1918 space and traceroute still worked, so that alone
>> was not enough.
>
> Not announcing their router interface IP space is not any type of
> security.  Anyone directly connected to them (customer or peer) could if
> they wish statically route that IP space, and any such security would be
> gone.  Unless it is otherwise filtered, any customer with a default
> route can reach their routers.

Nevertheless putting router interface ip address for your network
in one specific block is very effective as way to quickly get rid
of DoS attack on the router - you simply stop announcing that 
block but everything else on the network still works. And doing
tricks like having primary ip address which not important at all
(except for logging traffic actually destined to it) while secondary
ip on the same interface is really the one used for inter-connection
also works quite well.

-- 
William Leibzon
Elan Networks
william at elan.net



More information about the NANOG mailing list