[16465] in North American Network Operators' Group
Re: Router modifications to deal with smurf
daemon@ATHENA.MIT.EDU (John Hawkinson)
Sun Apr 26 18:18:17 1998
From: John Hawkinson <jhawk@bbnplanet.com>
To: rusty@mci.net (Rusty Zickefoose)
Date: Sun, 26 Apr 1998 17:59:42 -0400 (EDT)
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.3.96.980425172212.6993B-100000@chert> from "Rusty Zickefoose" at Apr 25, 98 05:29:02 pm
> We requests that your routers be configurable, at the interface
> level, to prevent the forwarding of an ICMP echo-request packet through an
> interface that has a broadcast or wire address that matches the
> destination address of that packet.
Modifications that cause the forwarding path to behave differently
for some type of packets are *bad*. ICMP echo-requests should be treated
identically to other sorts of packets.
If you s/an ICMP echo-request/an IP/, then you have the same
as "no ip directed-broadcast". Your wording is sufficiently vague such that
I can't tell if that's what you meant or not. I don't know if you're
trying to avoid being cisco-specific, or if you're being vague for some
other reason.
> We also request that the default configurations of your routers be
> modified to prevent said forwarding.
I don't have a problem with this.
> We request that your routers be configurable, both globally and
> and the interface level, with the interface configuration overiding the
> global configuration, to prevent the forwarding of an IP packet with a
> source network address different from the network address of the interface
> on which it was received. We also request that the default configurations
> of your routers be modified to prevent, globally, said forwarding.
I'd be concerned that having this as a default is not necessarily
the right thing in sufficiently large numbers of situations as to
make this a bad idea.
--jhawk
