nanog mailing list archives
Re: New router feature - icmp error source-interface [was: icmp rpf]
From: Payam Tarverdyan Chychi <payam () bhsecurity com>
Date: Mon, 25 Sep 2006 21:34:55 -0700
Joseph S D Yao wrote:
Why not just do a show ip route? since you can actually verify the information against your routing table. This way you can see when the route was learned, where was it learned from and how long ago it was last updated... the problem is that too many people "engineers" rely on traceroute... sure traceroute is a wonderful tool, however it is meant to assist you in "tracking down" the problem.On Mon, Sep 25, 2006 at 09:22:34AM -0400, Patrick W. Gilmore wrote: ...Who thinks it would be a "good idea" to have a knob such that ICMP error messages are always source from a certain IP address on a router?... I've sometimes thought it would be useful when I wanted to hide a route. But security via obscurity just makes it that much harder to fix something. Many more times than this would have been useful, I've been able to identify at which router a problem was by a 'traceroute' that told me into which router by which interface I was going. When the owner of the router might not even have known. Or I have had attempts to do this foiled by routers that used an internal loopback IP address. On the whole, then, I guess I would vote, "no".
I've seen far too many "you are filtering, investigate please" when all that has been done is implementing acls and rate limiting.
IMO, If you want to implement a non-routable ip space to protect your backbone... go for it if you want to icmp rate limit *i know level3 does this out of both nyc and la* which causes mass threads of "we are getting packet loss, please investigate" go for it ..
if your network engineers are not equipped with the information to how to fully diagnose a network/problem.... you should think about new hires.
Cheers, Payam
Current thread:
- Re: New router feature - icmp error source-interface [was: icmp rpf], (continued)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Richard A Steenbergen (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Richard A Steenbergen (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Patrick W. Gilmore (Sep 25)
- Comcast contact Anshuman Kanwar (Sep 25)
- Re: Comcast contact Peter Cohen (Sep 26)
- Re: New router feature - icmp error source-interface [was: icmp rpf] John Curran (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Richard A Steenbergen (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Joseph S D Yao (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Chris L. Morrow (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Daniel Senie (Sep 25)
- Re: New router feature - icmp error source-interface [was: icmp rpf] Payam Tarverdyan Chychi (Sep 25)
- Re: icmp rpf Mark Kent (Sep 25)
- Re: icmp rpf Patrick W. Gilmore (Sep 25)
- Re: icmp rpf Patrick W. Gilmore (Sep 26)
- Re: icmp rpf Jared Mauch (Sep 26)