[92555] in North American Network Operators' Group
Re: New router feature - icmp error source-interface [was: icmp
daemon@ATHENA.MIT.EDU (Mark Smith)
Mon Sep 25 17:22:38 2006
Date: Tue, 26 Sep 2006 06:52:16 +0930
From: Mark Smith <nanog@fa1c52f96c54f7450e1ffb215f29991e.nosense.org>
To: "Patrick W. Gilmore" <patrick@ianai.net>
Cc: nanog@merit.edu, patrick@ianai.net
In-Reply-To: <2A0E638F-631E-447F-A916-1219C78A68B9@ianai.net>
Errors-To: owner-nanog@merit.edu
On Mon, 25 Sep 2006 09:22:34 -0400
"Patrick W. Gilmore" <patrick@ianai.net> wrote:
>
> On Sep 25, 2006, at 9:06 AM, Ian Mason wrote:
>
> > ICMP packets will, by design, originate from the incoming interface
> > used by the packet that triggers the ICMP packet. Thus giving an
> > interface an address is implicitly giving that interface the
> > ability to source packets with that address to potential anywhere
> > in the Internet. If you don't legitimately announce address space
> > then sourcing packets with addresses in that space is (one
> > definition of) spoofing.
>
> Who thinks it would be a "good idea" to have a knob such that ICMP
> error messages are always source from a certain IP address on a router?
>
I do.
--
"Sheep are slow and tasty, and therefore must remain constantly
alert."
- Bruce Schneier, "Beyond Fear"
