[92540] in North American Network Operators' Group
New router feature - icmp error source-interface [was: icmp rpf]
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Mon Sep 25 09:26:21 2006
In-Reply-To: <BB6AC07F-1733-4AB8-AAFF-12E0FCBF8C0E@ian.co.uk>
Cc: "Patrick W. Gilmore" <patrick@ianai.net>
From: "Patrick W. Gilmore" <patrick@ianai.net>
Date: Mon, 25 Sep 2006 09:22:34 -0400
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
On Sep 25, 2006, at 9:06 AM, Ian Mason wrote:
> ICMP packets will, by design, originate from the incoming interface
> used by the packet that triggers the ICMP packet. Thus giving an
> interface an address is implicitly giving that interface the
> ability to source packets with that address to potential anywhere
> in the Internet. If you don't legitimately announce address space
> then sourcing packets with addresses in that space is (one
> definition of) spoofing.
Who thinks it would be a "good idea" to have a knob such that ICMP
error messages are always source from a certain IP address on a router?
For instance, you could have a "loopback99" which is in an announced
block, but filtered at all your borders. Then set "ip icmp error
source-interface loopback99" or something. All error messages from a
router would come from this address, regardless of the incoming or
outgoing interface. Things like PMTUD would still work, and your /
30s could be in private space or non-announced space or even
imaginary^Wv6 space. :)
Note I said "error messages", so things like TTL Expired, Port
Unreachable, and Can't Fragment would come from here, but things like
ICMP Echo Request / Reply pairs would not. Perhaps that should be
considered as well, but it is not what I am suggesting here.
Obviously there's lots of side effects, and probably unintended
consequences I have not considered, but I think the good might out-
weigh the bad. Or not. Which is why I'm offering it up for suggestion.
(Unless, of course, I get 726384 "you are off-topic" replies, in
which case I withdraw the suggestion.)
--
TTFN,
patrick