nanog mailing list archives
Re: Tier 2 ingress filtering
From: Alejandro Acosta <alejandroacostaalamo () gmail com>
Date: Sat, 30 Mar 2013 21:47:13 -0430
Hi William, Thanks for your response, my comments below: On 3/30/13, William Herrin <bill () herrin us> wrote:
On Fri, Mar 29, 2013 at 11:21 PM, Alejandro Acosta <alejandroacostaalamo () gmail com> wrote:On 3/29/13, Patrick <nanog () haller ws> wrote:On 2013-03-29 14:49, William Herrin wrote:I've long thought router vendors should introduce a configuration option to specify the IP address from which ICMP errors are emitted rather than taking the interface address from which the packet causing the error was received.Concur. An 'ip(v6)? icmp source-interface loop0' sure beats running 'ip unnumbered loop0' everywhere. ;)Why do you think it will be better?, can you explain?Hi Alejandro, Consider the alternatives: 1. Provide a router configuration option (per router and/or per interface) to emit ICMP error messages from a specified IP address rather than the interface address.
I imagine that and it sounds terrific. I guess at least this option should come disabled by default.
2. At every border, kick packets without an Internet-legitimate source address up to the slow path for network address translation to a source address which is valid.
IMHO this can be achieved with the current behaviour.
3. Design your network so that any router with at least one network interface whose IP address is not valid on the Internet has exactly the same MTU on every interface, and at least an MTU of 1500 on all of them, guaranteeing that the router will never emit a fragmentation-needed message. And do this consistently. Every time.
If you have pmtud enabled you won't need this every time
4. Redesign TCP so it doesn't rely on ICMP destination unreachable messages to determine path MTU and get your new design deployed into every piece of software on the Internet.
You will have the same problem using only one output interface for ICMP error/messages. Of course based in your comments you mean you will need to troubleshoot this interface only once.
5. Accept that TCP will break unexpectedly due to lost fragmentation-needed messages, presenting as a particularly nasty and intermittent failure that's hard to track and harder to fix.
Same answer as in 3.
Which do you find least offensive?
None of them if offensive, I think this could be a nice feature to have but I hope it's disable by default.
Regards, Bill Herrin
Thanks, Regards, Alejandro Acosta,
-- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: Tier 2 ingress filtering, (continued)
- Re: Tier 2 ingress filtering Jay Ashworth (Mar 28)
- Re: Tier 2 ingress filtering Saku Ytti (Mar 28)
- Re: Tier 2 ingress filtering Rajiv Asati (rajiva) (Mar 28)
- Re: Tier 2 ingress filtering Saku Ytti (Mar 28)
- Re: Tier 2 ingress filtering Jeff Kell (Mar 28)
- Re: Tier 2 ingress filtering Jay Ashworth (Mar 28)
- Re: Tier 2 ingress filtering William Herrin (Mar 29)
- Re: Tier 2 ingress filtering Patrick (Mar 29)
- Re: Tier 2 ingress filtering Alejandro Acosta (Mar 29)
- Re: Tier 2 ingress filtering William Herrin (Mar 29)
- Re: Tier 2 ingress filtering Alejandro Acosta (Mar 30)
- Re: Tier 2 ingress filtering Jared Mauch (Mar 28)
- Re: Tier 2 ingress filtering - folo Saku Ytti (Mar 30)