saku at ytti.fi
Mon Feb 27 13:36:55 UTC 2023
On Mon, 27 Feb 2023 at 10:16, Rolf Winter <rolf.winter at hs-augsburg.de> wrote:
> "https://downforeveryoneorjustme.com/". But, somebody might use your
> server for this. How do people feel about this? Restrict the reverse
> traceroute operation to be done back to the source or allow it more
> freely to go anywhere?
What are the pros and cons of this? Let's call it destination TLV.
If I am someone who wants to do volumetric attack, I won't set any
destination TLV, because without destination TLV and by spoofing my
source, I get more leverage. If my source and destination TLV differ,
then I have less leverage. So in this sense, it adds no security
implications, but adds a massive amount of diagnostic power, as one
very common request is to ask traceroute between nodes you have no
What it would allow is port knocking the ports used through proxy, if
this matters or not might be debatable.
Perhaps the standard should consider some abilities to be default on,
and others default off, and let the operator decide if they want to
turn some default off abilities on, such as honoring destination TLV.
More information about the NANOG