New router feature - icmp error source-interface [was: icmp rpf]

Richard A Steenbergen ras at e-gerbil.net
Mon Sep 25 21:40:06 UTC 2006


On Mon, Sep 25, 2006 at 09:22:34AM -0400, Patrick W. Gilmore wrote:
> 
> On Sep 25, 2006, at 9:06 AM, Ian Mason wrote:
> 
> >ICMP packets will, by design, originate from the incoming interface  
> >used by the packet that triggers the ICMP packet. Thus giving an  
> >interface an address is implicitly giving that interface the  
> >ability to source packets with that address to potential anywhere  
> >in the Internet. If you don't legitimately announce address space  
> >then sourcing packets with addresses in that space is (one  
> >definition of) spoofing.
> 
> Who thinks it would be a "good idea" to have a knob such that ICMP  
> error messages are always source from a certain IP address on a router?

You know I was just having this discussion with someone else a couple days 
ago. It turns out, much to my surprise, that the RFC actually calls for 
the ICMP error-message packet (as you said, the things that aren't ping 
etc which require a specific source-address) to originate from the 
OUTGOING interface used to return the ICMP message to the original sender. 
After much googling, I can't find any document where this has ever been 
officially updated either. The defacto industry standard on the other hand 
has been to use the primary address of the inbound interface, which serves 
exactly one function: it makes traceroute work.

The hack that people use to simulate this functionality normally is:

ip address the.fake.ip.here 255.255.255.252 
ip address the.real.ip.here 255.255.255.252 secondary

(FYI side note the Juniper equivilent is... confusing or non-working, hard 
to tell which. The tag "primary" is defined as the source address for 
local broadcast/multicast, "preferred" is defined as the source when you 
have multiple IPs within a subnet. Neither one should work for what we're 
talking about according to the docs, but if you actually try it... 
sometimes it works, sometimes it won't, and sometimes the behavior is 
different if you include only one but not the other :P).

This works well for simple external-facing interfaces, things that speak 
BGP for example, but can confuse things like OSPF etc when you use 
secondaries on internal interfaces. FWIW I've been asking for more people 
to implement exactly what you're talking about for years (specifically 
setting ONLY the ICMP error source interface without risk of screwing up 
the interface in other ways). You can debate over exactly how to do it 
(global or per interface, icmp source-interface lo99 vs icmp source-ip 
1.2.3.4, etc), but I agree wholeheatedly it should be done. It should be 
really simple too!

> (Unless, of course, I get 726384 "you are off-topic" replies, in  
> which case I withdraw the suggestion.)

Please stop talking about networking on NANOG, you're confusing people. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)



More information about the NANOG mailing list