[50598] in North American Network Operators' Group
Re: If you have nothing to hide
daemon@ATHENA.MIT.EDU (Eric Osborne)
Mon Aug 5 16:27:11 2002
Date: Mon, 5 Aug 2002 16:26:39 -0400
From: Eric Osborne <eosborne@cisco.com>
To: bdragon@gweep.net
Cc: Stephen Sprunk <ssprunk@cisco.com>, nanog@merit.edu
In-Reply-To: <20020805160746.41121.qmail@sidehack.sat.gweep.net>
Errors-To: owner-nanog-outgoing@merit.edu
> Validation of routing policy to ensure others aren't abusing you (pointing
> default, for example). As for orders of magnitude, once an IP option is
> in a packet, the damage is essentially done, otherwise looking up the
> path to an address in the options is no more impactive than looking up the
> address in the original destination field.
Well, no. Not really.
First off, following the 80/20 rule (or in this case 99.x/(100-99.x)
rule) says that hardware implementations which get optioned packets
punt them to software. This is at every hop.
Second, the IP source route is a stack of IP addresses, which must be
modified at every hop. This implies not just software forwarding, but
also significantly more work than an IP lookup.
eric
> source-routing only has security
> implications to those with defenses which permit traffic through some type
> of backdoor. The backdoor has more security implications than the
> source-routing, since it may be compromised in other manners.
