New router feature - icmp error source-interface [was: icmp rpf]

Mon Sep 25 21:31:27 UTC 2006

On Sep 25, 2006, at 5:26 PM, Berkman, Scott wrote:

> Might this not be a bad idea if the router has interfaces on multiple,
> separate paths?  Such a case may be where one customer or set of  
> traffic
> routes over a link to ISP A, and other traffic over a link to ISP  
> B, and
> not all related addresses are portable.  In that case the loopback
> address for the ICMP errors might show from an address that seems to
> belong to a block from ISP A, but is really traffic that was  
> transported
> on ISP B.
>
> 	Just trying to come up with possible issues, not saying that's a
> best practice or anything...

I doubt it is possible to make a rule / knob / idea / feature /  
whatever that cannot be misused, or that is applicable to all corner  
cases.

That's why it's a knob. :)  If it is applicable to your situation,  
you should use it.  If not, not.

But if the knob has enough use in enough situations, then it is  
probably something we want to push the vendors to implement.

-- 
TTFN,
patrick

> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On  
> Behalf Of
> Patrick W. Gilmore
> Sent: Monday, September 25, 2006 9:23 AM
> To: nanog at merit.edu
> Cc: Patrick W. Gilmore
> Subject: New router feature - icmp error source-interface [was: icmp
> rpf]
>
>
> On Sep 25, 2006, at 9:06 AM, Ian Mason wrote:
>
>> ICMP packets will, by design, originate from the incoming interface
>> used by the packet that triggers the ICMP packet. Thus giving an
>> interface an address is implicitly giving that interface the ability
>> to source packets with that address to potential anywhere in the
>> Internet. If you don't legitimately announce address space then
>> sourcing packets with addresses in that space is (one definition of)
>> spoofing.
>
> Who thinks it would be a "good idea" to have a knob such that ICMP  
> error
> messages are always source from a certain IP address on a router?
>
> For instance, you could have a "loopback99" which is in an announced
> block, but filtered at all your borders.  Then set "ip icmp error
> source-interface loopback99" or something.  All error messages from a
> router would come from this address, regardless of the incoming or
> outgoing interface.  Things like PMTUD would still work, and your /  
> 30s
> could be in private space or non-announced space or even
> imaginary^Wv6 space. :)
>
> Note I said "error messages", so things like TTL Expired, Port
> Unreachable, and Can't Fragment would come from here, but things like
> ICMP Echo Request / Reply pairs would not.  Perhaps that should be
> considered as well, but it is not what I am suggesting here.
>
> Obviously there's lots of side effects, and probably unintended
> consequences I have not considered, but I think the good might out-
> weigh the bad.  Or not.  Which is why I'm offering it up for  
> suggestion.
>
> (Unless, of course, I get 726384 "you are off-topic" replies, in which
> case I withdraw the suggestion.)
>
> --
> TTFN,
> patrick