nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: If you have nothing to hide

From: Eric Osborne <eosborne () cisco com>
Date: Mon, 5 Aug 2002 16:26:39 -0400



Validation of routing policy to ensure others aren't abusing you (pointing
default, for example). As for orders of magnitude, once an IP option is
in a packet, the damage is essentially done, otherwise looking up the
path to an address in the options is no more impactive than looking up the
address in the original destination field. 


Well, no.  Not really.
First off, following the 80/20 rule (or in this case 99.x/(100-99.x)
rule) says that hardware implementations which get optioned packets
punt them to software.  This is at every hop.

Second, the IP source route is a stack of IP addresses, which must be
modified at every hop.  This implies not just software forwarding, but
also significantly more work than an IP lookup.




eric


source-routing only has security
implications to those with defenses which permit traffic through some type
of backdoor. The backdoor has more security implications than the
source-routing, since it may be compromised in other manners.
Previous By Date Next
Previous By Thread Next

Current thread: