New router feature - icmp error source-interface [was: icmp rpf]
Richard A Steenbergen
ras at e-gerbil.net
Mon Sep 25 21:40:06 UTC 2006
On Mon, Sep 25, 2006 at 09:22:34AM -0400, Patrick W. Gilmore wrote:
>
> On Sep 25, 2006, at 9:06 AM, Ian Mason wrote:
>
> >ICMP packets will, by design, originate from the incoming interface
> >used by the packet that triggers the ICMP packet. Thus giving an
> >interface an address is implicitly giving that interface the
> >ability to source packets with that address to potential anywhere
> >in the Internet. If you don't legitimately announce address space
> >then sourcing packets with addresses in that space is (one
> >definition of) spoofing.
>
> Who thinks it would be a "good idea" to have a knob such that ICMP
> error messages are always source from a certain IP address on a router?
You know I was just having this discussion with someone else a couple days
ago. It turns out, much to my surprise, that the RFC actually calls for
the ICMP error-message packet (as you said, the things that aren't ping
etc which require a specific source-address) to originate from the
OUTGOING interface used to return the ICMP message to the original sender.
After much googling, I can't find any document where this has ever been
officially updated either. The defacto industry standard on the other hand
has been to use the primary address of the inbound interface, which serves
exactly one function: it makes traceroute work.
The hack that people use to simulate this functionality normally is:
ip address the.fake.ip.here 255.255.255.252
ip address the.real.ip.here 255.255.255.252 secondary
(FYI side note the Juniper equivilent is... confusing or non-working, hard
to tell which. The tag "primary" is defined as the source address for
local broadcast/multicast, "preferred" is defined as the source when you
have multiple IPs within a subnet. Neither one should work for what we're
talking about according to the docs, but if you actually try it...
sometimes it works, sometimes it won't, and sometimes the behavior is
different if you include only one but not the other :P).
This works well for simple external-facing interfaces, things that speak
BGP for example, but can confuse things like OSPF etc when you use
secondaries on internal interfaces. FWIW I've been asking for more people
to implement exactly what you're talking about for years (specifically
setting ONLY the ICMP error source interface without risk of screwing up
the interface in other ways). You can debate over exactly how to do it
(global or per interface, icmp source-interface lo99 vs icmp source-ip
1.2.3.4, etc), but I agree wholeheatedly it should be done. It should be
really simple too!
> (Unless, of course, I get 726384 "you are off-topic" replies, in
> which case I withdraw the suggestion.)
Please stop talking about networking on NANOG, you're confusing people. :)
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the NANOG
mailing list