Re: Tier 2 ingress filtering

[Alejandro Acosta <alejandroacostaalamo () gmail com>]

Hi William,
  Thanks for your response, my comments below:

On 3/30/13, William Herrin <bill () herrin us> wrote:
> On Fri, Mar 29, 2013 at 11:21 PM, Alejandro Acosta
> <alejandroacostaalamo () gmail com> wrote:
> > On 3/29/13, Patrick <nanog () haller ws> wrote:
> > > On 2013-03-29 14:49, William Herrin wrote:
> > > > I've long thought router vendors should introduce a configuration
> > > > option to specify the IP address from which ICMP errors are emitted
> > > > rather than taking the interface address from which the packet causing
> > > > the error was received.
> > >
> > > Concur. An 'ip(v6)? icmp source-interface loop0' sure beats running 'ip
> > > unnumbered loop0' everywhere. ;)
> >
> > Why do you think it will be better?, can you explain?
>
> Hi Alejandro,
>
> Consider the alternatives:
>
> 1. Provide a router configuration option (per router and/or per
> interface) to emit ICMP error messages from a specified IP address
> rather than the interface address.

I imagine that and it sounds terrific. I guess at least this option
should come disabled by default.

> 2. At every border, kick packets without an Internet-legitimate source
> address up to the slow path for network address translation to a
> source address which is valid.

IMHO this can be achieved with the current behaviour.

> 3. Design your network so that any router with at least one network
> interface whose IP address is not valid on the Internet has exactly
> the same MTU on every interface, and at least an MTU of 1500 on all of
> them, guaranteeing that the router will never emit a
> fragmentation-needed message. And do this consistently. Every time.

If you have pmtud enabled you won't need this every time


> 4. Redesign TCP so it doesn't rely on ICMP destination unreachable
> messages to determine path MTU and get your new design deployed into
> every piece of software on the Internet.

You will have the same problem using only one output interface for
ICMP error/messages. Of course based in your comments you mean you
will need to troubleshoot this interface only once.

> 5. Accept that TCP will break unexpectedly due to lost
> fragmentation-needed messages, presenting as a particularly nasty and
> intermittent failure that's hard to track and harder to fix.

Same answer as in 3.

> Which do you find least offensive?

None of them if offensive, I think this could be a nice feature to
have but I hope it's disable by default.

> Regards,
> Bill Herrin

Thanks,

Regards,
Alejandro Acosta,


> --
> William D. Herrin ................ herrin () dirtside com  bill () herrin us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004