nanog mailing list archives
Re: Access to the Internic Blocked
From: Curtis Villamizar <curtis () ans net>
Date: Thu, 22 Aug 1996 11:53:47 -0400
In message <199608220449.VAA00216 () quest quake net>, Vadim Antonov writes:
On itself, LSRR is a godsend to hackers (i can think of about a dozen of very nasty attacks using general LSRR). The only useful application for it is traceroute. Why don't router vendors provide an option to turn it off for everything but ICMP ECHO? --vadim
I've said many times that if security in your network is weak enough that you need to worry about LSRR packets you need to worry about security in your network. The minute someone unpacks a Sun workstation, configures an IP address and sticks it on the ethernet without installing the security patches and doing the administrative work needed to secure the machine, if you had a small hole in your security with LSRR, you now have a gaping hole in your security. If you are relying on blocking LSRR, your security is a weak as the most peerly administered machine on your network. A real bad thing if you are constantly hiring. Even so, if anywhere, where you want LSRR turned off is the border router(s) in front of the machines used for operations, network management, etc. Obviously you want your network to be secure even if LSRR was enabled for the reason I cited above. Curtis - - - - - - - - - - - - - - - - -
Current thread:
- Re: Access to the Internic Blocked, (continued)
- Re: Access to the Internic Blocked David Carmean (Aug 21)
- Re: Access to the Internic Blocked bmanning (Aug 21)
- Re: Access to the Internic Blocked Golan Ben-Oni (Aug 21)
- Re: Access to the Internic Blocked Mark Kosters (Aug 21)
- Re: Access to the Internic Blocked Golan Ben-Oni (Aug 21)
- Re: Access to the Internic Blocked Michael Dillon (Aug 21)
- Re: Access to the Internic Blocked Carl Payne (Aug 21)
- Re: Access to the Internic Blocked -- LSRR, traceroute with ICMP Edward Henigin (Aug 21)
- Re: Access to the Internic Blocked -- LSRR, traceroute with ICMP Ehud Gavron (Aug 22)
- Re: Access to the Internic Blocked Curtis Villamizar (Aug 22)
- Re: Access to the Internic Blocked John Hawkinson (Aug 21)
- Re: Access to the Internic Blocked Curtis Villamizar (Aug 22)
- Re: Access to the Internic Blocked Avi Freedman (Aug 23)
- Re: Access to the Internic Blocked Curtis Villamizar (Aug 23)