[50574] in North American Network Operators' Group
Re: If you have nothing to hide
daemon@ATHENA.MIT.EDU (Stephen Sprunk)
Mon Aug 5 11:43:52 2002
From: "Stephen Sprunk" <ssprunk@cisco.com>
To: "Len Rose" <len@netsys.com>, <bdragon@gweep.net>
Cc: <nanog@merit.edu>
Date: Mon, 5 Aug 2002 10:11:25 -0500
Errors-To: owner-nanog-outgoing@merit.edu
Thus spake <bdragon@gweep.net>
> <snip>
> > our packets. While I'm certainly in favor of anything edge providers can
> > do to eliminate denial of service attacks based on source-routing,
> > I certainly don't want anything further.
> <snip>
>
> denial of service based upon source routing? I hadn't heard of any denial
> of service attacks of that sort.
>
> Disabling source-routing is like filtering icmp, sure you might block
> a few abuses, but more often than not, you are throwing out legitimate
> traffic.
I can't come up with any legitimate reason to use source-routed packets today.
If your routers even support them, they probably consume orders of magnitude
more processing power than normal packets; that is enough reason to disable
source-routing, not to mention the security implications.
S
