[146612] in North American Network Operators' Group
Re: IP Options
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Thu Nov 17 10:25:02 2011
In-Reply-To: <CAB_zYdJ-PYuwowvJbEg58_54fj8KFSC8K6gvOa8BeskRaHRrtg@mail.gmail.com>
Date: Thu, 17 Nov 2011 10:20:30 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: harbor235 <harbor235@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Nov 17, 2011 at 10:17 AM, harbor235 <harbor235@gmail.com> wrote:
> Sure, but mirroring a port on the edge may not be the best way to go, ACL
> hits and logs
> dumped to syslog may be the best approach. So if your capturing traffic h=
ow
> are you mitigating this traffic
> with minimal impact?
>
sorry, my question was: "Do you have some pcaps, I'd be interested in
seeing what sort of packets you are seeing with options added to
them."
I've seen things like mcast/pim/etc that will do this, and RSVP, I've
not seen in-the-wild packets with options being a 'problem', though in
theory they can be painful :(
Some vendor gear has 'no ip-options' as an option...(which is really,
'ignore ip options', I believe), some has the ability to filter based
on option(s).
-chris
> Mike
>
> On Thu, Nov 17, 2011 at 10:07 AM, Christopher Morrow
> <morrowc.lists@gmail.com> wrote:
>>
>> got pcaps?
>>
>> On Thu, Nov 17, 2011 at 10:04 AM, harbor235 <harbor235@gmail.com> wrote:
>> > Is it just me or has there been an increase in packets with IP options
>> > set
>> > hitting
>> > our front door? There are ways to mitigate e.g. IP options selective
>> > discard, and ACL
>> > IP options support. ACL entries on the edge appear to be the best
>> > way identify and log the source.
>> > IP options selective discard drops packets silently so from my view th=
ey
>> > are not as effective.
>> >
>> > Is anyone doing anything else to identify and mitigate? =A0I have been
>> > seeing
>> > hits on our firewalls
>> > but would rather take care of it at our edge with little or no impact.
>> >
>> >
>> > Mike
>> >
>
>
