New router feature - icmp error source-interface [was: icmp rpf]
Daniel Senie
dts at senie.com
Tue Sep 26 03:38:23 UTC 2006
At 10:29 PM 9/25/2006, Chris L. Morrow wrote:
>On Mon, 25 Sep 2006, Joseph S D Yao wrote:
>
> >
> > On Mon, Sep 25, 2006 at 09:22:34AM -0400, Patrick W. Gilmore wrote:
> > ...
> > > Who thinks it would be a "good idea" to have a knob such that ICMP
> > > error messages are always source from a certain IP address on a router?
> > ...
> >
> >
> > I've sometimes thought it would be useful when I wanted to hide a route.
> > But security via obscurity just makes it that much harder to fix
>
>I think in the original poster's scenario one network was looking to
>protect their resources/equipment from a majority of the network's ills.
>It's not unreasonable... atleast not in my mind. It's also not 'security
>through obscurity' since one of the parties is/was leaking their
>information OUT, just not 'in' :)
The issue is that the world has changed. Some networks actually
expect not only the use of public addresses on router interfaces, but
addresses from advertised blocks. Why has the world changed? Because
not everyone is friendly on the Internet. There were issues raised in
Mobile IP by the drafts that predated the publication of RFC 2267.
Why? Well, Mobile IP WG had made the assumption that all IPv4 packet
forwarding would be done, without filtering, based solely on the
destination IP address. The down side was it made some of the traffic
look spoofed. The world changed, people started abusing the Internet
in new ways, and the old assumptions no longer held. Mobile IP WG
adapted to the new reality that was coming. The longevity of the
TCP/IP protocol suite is attributable to the continued effort of many
people, not to savant qualities of those who first wrote specifications.
> > something. Many more times than this would have been useful, I've been
> > able to identify at which router a problem was by a 'traceroute' that
>
>What's interesting is that today, in many networks, the usefulness of
>traceeroute has bee degraded by other non-ip issues (<cough>mpls</cough>)
>not in ALL cases, but certainly in many you are not seeing quite what
>you'd expect from the traceroute :(
There's no more degradation of usefulness from MPLS than there was
from ATM or Frame Relay. Pick your poison for virtualized link layer,
and you'll have some degree of difficulty determining and debugging
the underlying network without tools to peer under the hood.
More information about the NANOG
mailing list