[92561] in North American Network Operators' Group
Re: New router feature - icmp error source-interface [was: icmp rpf]
daemon@ATHENA.MIT.EDU (Richard A Steenbergen)
Mon Sep 25 20:07:12 2006
Date: Mon, 25 Sep 2006 19:40:43 -0400
From: Richard A Steenbergen <ras@e-gerbil.net>
To: David Temkin <dave@rightmedia.com>
Cc: nanog@merit.edu
In-Reply-To: <F954425D51016944BA33ECE28561C345034BF934@CBA0E2K06.CBA0.centerbeam.com>
Errors-To: owner-nanog@merit.edu
On Mon, Sep 25, 2006 at 04:33:18PM -0700, David Temkin wrote:
>=20
> C and J both already have a similar feature, however I'm not sure
> whether or not they apply to ICMP. They both support PBR for locally
> originated packets - which, should include if the thought process is
> correct, ICMP. Perhaps someone with some time to waste can verify this
> in a lab. =20
>=20
> http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1828/products
> _configuration_guide_chapter09186a00800ca590.html#5406
The actual path taken for the ICMP generated by the router does not=20
matter, we're just talking about the source address selected by the=20
router. The only reasons that the source address (which reveals a real IP=
=20
address on a router) matters at all for ICMP error responses are:
* So traceroute works (current industry standard behavior is to use the=20
ingress interface IP so you see the forward path in traceroute, not the=
=20
reverse path, which may be asymmetric.
* So your replies don't get thwacked by people doing uRPF strict (i.e.=20
they must come from announced IPs or people doing strict strict with no=
=20
exception filtering capabilities will block the traceroute responses).
* Optionally, allowing naive tools like MTR to ping the IP they discover=20
via traceroute, lest weenies flood your noc with "I'm pinging 10lolz!"=20
emails.
Revealing your interface IPs carries all kinds of DoS/security risks with=
=20
it, since there are a great many routers out there without good control=20
plane policing functionality (and even some of those that have it, don't=20
really have it :P). Since there is really no legitimate need for people=20
=66rom the outside world to ever communicate with your real interface IPs a=
t=20
all (with the exception of some rate limited ICMP echo/reply due to=20
aforementioned mtr weenies), having the option to hide those real=20
addresses completely in ICMP source address selection is a very good thing=
=20
for enhancing network security.
As I said you can accomplish part of this hack with primary/secondary IPs=
=20
on interfaces. You can also accomplish some level of filtering by=20
numbering your interfaces out of common blocks which are filtered at your=
=20
various borders/edges. It's still a pain in the !(*#&*, especially if you=
=20
number your links out of any "regional blocks" to cut down on asymmetric=20
routing confusion, or have any number of peers who provide /30s from=20
their own IP space.
--=20
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
