[92573] in North American Network Operators' Group
Re: New router feature - icmp error source-interface [was: icmp rpf]
daemon@ATHENA.MIT.EDU (Payam Tarverdyan Chychi)
Tue Sep 26 01:22:31 2006
Date: Mon, 25 Sep 2006 21:34:55 -0700
From: Payam Tarverdyan Chychi <payam@bhsecurity.com>
To: "Patrick W. Gilmore" <patrick@ianai.net>, nanog@merit.edu
In-Reply-To: <20060926021237.GF27784@core.center.osis.gov>
Errors-To: owner-nanog@merit.edu
Joseph S D Yao wrote:
> On Mon, Sep 25, 2006 at 09:22:34AM -0400, Patrick W. Gilmore wrote:
> ...
>
>> Who thinks it would be a "good idea" to have a knob such that ICMP
>> error messages are always source from a certain IP address on a router?
>>
> ...
>
>
> I've sometimes thought it would be useful when I wanted to hide a route.
> But security via obscurity just makes it that much harder to fix
> something. Many more times than this would have been useful, I've been
> able to identify at which router a problem was by a 'traceroute' that
> told me into which router by which interface I was going. When the
> owner of the router might not even have known. Or I have had attempts
> to do this foiled by routers that used an internal loopback IP address.
> On the whole, then, I guess I would vote, "no".
>
>
>
Why not just do a show ip route? since you can actually verify the
information against your routing table.
This way you can see when the route was learned, where was it learned
from and how long ago it was last updated...
the problem is that too many people "engineers" rely on traceroute...
sure traceroute is a wonderful tool, however it is meant to assist you
in "tracking down" the problem.
I've seen far too many "you are filtering, investigate please" when all
that has been done is implementing acls and rate limiting.
IMO, If you want to implement a non-routable ip space to protect your
backbone... go for it
if you want to icmp rate limit *i know level3 does this out of both nyc
and la* which causes mass threads of "we are getting packet loss, please
investigate" go for it ..
if your network engineers are not equipped with the information to how
to fully diagnose a network/problem.... you should think about new hires.
Cheers,
Payam
