[50580] in North American Network Operators' Group
Re: If you have nothing to hide
daemon@ATHENA.MIT.EDU (bdragon@gweep.net)
Mon Aug 5 12:13:05 2002
To: ssprunk@cisco.com (Stephen Sprunk)
Date: Mon, 5 Aug 2002 12:07:46 -0400 (EDT)
Cc: nanog@merit.edu
In-Reply-To: <no.id> from "Stephen Sprunk" at Aug 05, 2002 10:11:25 AM
From: <bdragon@gweep.net>
Errors-To: owner-nanog-outgoing@merit.edu
> Thus spake <bdragon@gweep.net>
> > <snip>
> > > our packets. While I'm certainly in favor of anything edge providers can
> > > do to eliminate denial of service attacks based on source-routing,
> > > I certainly don't want anything further.
> > <snip>
> >
> > denial of service based upon source routing? I hadn't heard of any denial
> > of service attacks of that sort.
> >
> > Disabling source-routing is like filtering icmp, sure you might block
> > a few abuses, but more often than not, you are throwing out legitimate
> > traffic.
>
> I can't come up with any legitimate reason to use source-routed packets today.
> If your routers even support them, they probably consume orders of magnitude
> more processing power than normal packets; that is enough reason to disable
> source-routing, not to mention the security implications.
>
> S
Validation of routing policy to ensure others aren't abusing you (pointing
default, for example). As for orders of magnitude, once an IP option is
in a packet, the damage is essentially done, otherwise looking up the
path to an address in the options is no more impactive than looking up the
address in the original destination field. source-routing only has security
implications to those with defenses which permit traffic through some type
of backdoor. The backdoor has more security implications than the
source-routing, since it may be compromised in other manners.
