New router feature - icmp error source-interface [was: icmp rpf]

Patrick W. Gilmore patrick at ianai.net
Mon Sep 25 13:22:34 UTC 2006


On Sep 25, 2006, at 9:06 AM, Ian Mason wrote:

> ICMP packets will, by design, originate from the incoming interface  
> used by the packet that triggers the ICMP packet. Thus giving an  
> interface an address is implicitly giving that interface the  
> ability to source packets with that address to potential anywhere  
> in the Internet. If you don't legitimately announce address space  
> then sourcing packets with addresses in that space is (one  
> definition of) spoofing.

Who thinks it would be a "good idea" to have a knob such that ICMP  
error messages are always source from a certain IP address on a router?

For instance, you could have a "loopback99" which is in an announced  
block, but filtered at all your borders.  Then set "ip icmp error  
source-interface loopback99" or something.  All error messages from a  
router would come from this address, regardless of the incoming or  
outgoing interface.  Things like PMTUD would still work, and your / 
30s could be in private space or non-announced space or even  
imaginary^Wv6 space. :)

Note I said "error messages", so things like TTL Expired, Port  
Unreachable, and Can't Fragment would come from here, but things like  
ICMP Echo Request / Reply pairs would not.  Perhaps that should be  
considered as well, but it is not what I am suggesting here.

Obviously there's lots of side effects, and probably unintended  
consequences I have not considered, but I think the good might out- 
weigh the bad.  Or not.  Which is why I'm offering it up for suggestion.

(Unless, of course, I get 726384 "you are off-topic" replies, in  
which case I withdraw the suggestion.)

-- 
TTFN,
patrick




More information about the NANOG mailing list