[92566] in North American Network Operators' Group
Re: New router feature - icmp error source-interface [was: icmp rpf]
daemon@ATHENA.MIT.EDU (Chris L. Morrow)
Mon Sep 25 22:33:24 2006
Date: Tue, 26 Sep 2006 02:29:50 +0000 (GMT)
From: "Chris L. Morrow" <christopher.morrow@verizonbusiness.com>
In-reply-to: <20060926021237.GF27784@core.center.osis.gov>
To: Joseph S D Yao <jsdy@center.osis.gov>
Cc: "Patrick W. Gilmore" <patrick@ianai.net>, nanog@merit.edu
Errors-To: owner-nanog@merit.edu
On Mon, 25 Sep 2006, Joseph S D Yao wrote:
>
> On Mon, Sep 25, 2006 at 09:22:34AM -0400, Patrick W. Gilmore wrote:
> ...
> > Who thinks it would be a "good idea" to have a knob such that ICMP
> > error messages are always source from a certain IP address on a router?
> ...
>
>
> I've sometimes thought it would be useful when I wanted to hide a route.
> But security via obscurity just makes it that much harder to fix
I think in the original poster's scenario one network was looking to
protect their resources/equipment from a majority of the network's ills.
It's not unreasonable... atleast not in my mind. It's also not 'security
through obscurity' since one of the parties is/was leaking their
information OUT, just not 'in' :)
> something. Many more times than this would have been useful, I've been
> able to identify at which router a problem was by a 'traceroute' that
What's interesting is that today, in many networks, the usefulness of
traceeroute has bee degraded by other non-ip issues (<cough>mpls</cough>)
not in ALL cases, but certainly in many you are not seeing quite what
you'd expect from the traceroute :(
