nanog mailing list archives
Re: New router feature - icmp error source-interface [was: icmp rpf]
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Mon, 25 Sep 2006 19:58:25 -0400
On Sep 25, 2006, at 5:40 PM, Richard A Steenbergen wrote:
On Mon, Sep 25, 2006 at 09:22:34AM -0400, Patrick W. Gilmore wrote:On Sep 25, 2006, at 9:06 AM, Ian Mason wrote:ICMP packets will, by design, originate from the incoming interface used by the packet that triggers the ICMP packet. Thus giving an interface an address is implicitly giving that interface the ability to source packets with that address to potential anywhere in the Internet. If you don't legitimately announce address space then sourcing packets with addresses in that space is (one definition of) spoofing.Who thinks it would be a "good idea" to have a knob such that ICMPerror messages are always source from a certain IP address on a router?You know I was just having this discussion with someone else a couple days ago. It turns out, much to my surprise, that the RFC actually calls for the ICMP error-message packet (as you said, the things that aren't pingetc which require a specific source-address) to originate from theOUTGOING interface used to return the ICMP message to the original sender. After much googling, I can't find any document where this has ever been officially updated either. The defacto industry standard on the other hand has been to use the primary address of the inbound interface, which servesexactly one function: it makes traceroute work.
I have not read the RFC in full, but after chatting with Daniel offline (see, some people actually do talk without posting! :), I believe this only applies to packets addressed to the router.
Since packets going -through- the router have absolutely no guarantee what source will be used coming back, I don't seen an issue here. Just change the idea such that it only is used for error messages to packets where the dest addy is not an interface on the router.
Also, this makes traceroute -easier- to use. Suddenly all interfaces on the same router have the same IP address, thereby making it easy to tell if two traceroutes intersect, even if they use different interfaces.
Oh, and who said RFCs can't be updated? :-)
(Unless, of course, I get 726384 "you are off-topic" replies, in which case I withdraw the suggestion.)Please stop talking about networking on NANOG, you're confusing people. :)
I knew someone would flame me for it. :) -- TTFN, patrick
Current thread:
- Re: icmp rpf, (continued)
- Re: icmp rpf Ian Mason (Sep 25)
- Re: icmp rpf Adrian Chadd (Sep 25)
- New router feature - icmp error source-interface [was: icmp rpf] Patrick W. Gilmore (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Joe Maimon (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Mark Smith (Sep 25)
- RE: New router feature - icmp error source-interface [was: icmp rpf] Berkman, Scott (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Patrick W. Gilmore (Sep 25)
- RE: New router feature - icmp error source-interface [was: icmp rpf] David Temkin (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Richard A Steenbergen (Sep 25)
- Re: icmp rpf Ian Mason (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Richard A Steenbergen (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Patrick W. Gilmore (Sep 25)
- Comcast contact Anshuman Kanwar (Sep 25)
- Re: Comcast contact Peter Cohen (Sep 26)
- Re: New router feature - icmp error source-interface [was: icmp rpf] John Curran (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Richard A Steenbergen (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Joseph S D Yao (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Chris L. Morrow (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Daniel Senie (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Payam Tarverdyan Chychi (Sep 25)