Re: Tier 2 ingress filtering

[William Herrin <bill () herrin us>]

On Fri, Mar 29, 2013 at 11:21 PM, Alejandro Acosta
<alejandroacostaalamo () gmail com> wrote:
> On 3/29/13, Patrick <nanog () haller ws> wrote:
> > On 2013-03-29 14:49, William Herrin wrote:
> > > I've long thought router vendors should introduce a configuration
> > > option to specify the IP address from which ICMP errors are emitted
> > > rather than taking the interface address from which the packet causing
> > > the error was received.
> >
> > Concur. An 'ip(v6)? icmp source-interface loop0' sure beats running 'ip
> > unnumbered loop0' everywhere. ;)
>
> Why do you think it will be better?, can you explain?

Hi Alejandro,

Consider the alternatives:

1. Provide a router configuration option (per router and/or per
interface) to emit ICMP error messages from a specified IP address
rather than the interface address.

2. At every border, kick packets without an Internet-legitimate source
address up to the slow path for network address translation to a
source address which is valid.

3. Design your network so that any router with at least one network
interface whose IP address is not valid on the Internet has exactly
the same MTU on every interface, and at least an MTU of 1500 on all of
them, guaranteeing that the router will never emit a
fragmentation-needed message. And do this consistently. Every time.

4. Redesign TCP so it doesn't rely on ICMP destination unreachable
messages to determine path MTU and get your new design deployed into
every piece of software on the Internet.

5. Accept that TCP will break unexpectedly due to lost
fragmentation-needed messages, presenting as a particularly nasty and
intermittent failure that's hard to track and harder to fix.


Which do you find least offensive?

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004