Re: IP Options

[Christopher Morrow <morrowc.lists () gmail com>]

On Thu, Nov 17, 2011 at 10:17 AM, harbor235 <harbor235 () gmail com> wrote:
> Sure, but mirroring a port on the edge may not be the best way to go, ACL
> hits and logs
> dumped to syslog may be the best approach. So if your capturing traffic how
> are you mitigating this traffic
> with minimal impact?

sorry, my question was: "Do you have some pcaps, I'd be interested in
seeing what sort of packets you are seeing with options added to
them."

I've seen things like mcast/pim/etc that will do this, and RSVP, I've
not seen in-the-wild packets with options being a 'problem', though in
theory they can be painful :(

Some vendor gear has 'no ip-options' as an option...(which is really,
'ignore ip options', I believe), some has the ability to filter based
on option(s).

-chris

> Mike
>
> On Thu, Nov 17, 2011 at 10:07 AM, Christopher Morrow
> <morrowc.lists () gmail com> wrote:
> > got pcaps?
> >
> > On Thu, Nov 17, 2011 at 10:04 AM, harbor235 <harbor235 () gmail com> wrote:
> > > Is it just me or has there been an increase in packets with IP options
> > > set
> > > hitting
> > > our front door? There are ways to mitigate e.g. IP options selective
> > > discard, and ACL
> > > IP options support. ACL entries on the edge appear to be the best
> > > way identify and log the source.
> > > IP options selective discard drops packets silently so from my view they
> > > are not as effective.
> > >
> > > Is anyone doing anything else to identify and mitigate?  I have been
> > > seeing
> > > hits on our firewalls
> > > but would rather take care of it at our edge with little or no impact.
> > >
> > >
> > > Mike