'Re: ICMP Attacks???????'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nanog
Subject:    Re: ICMP Attacks???????
From:       Jon Green <jcgreen () netins ! net>
Date:       1997-08-22 17:39:52
[Download RAW message or body]

On Thu, 21 Aug 1997 23:55:57 -0400 (EDT), woods@most.weird.com writes:
>
>[ On Thu, August 21, 1997 at 17:18:24 (-0500), Jon Green wrote: ]
>> Subject: Re: ICMP Attacks??????? 
>>
>> I don't think that's a good idea.  The vast majority of routers that
>> I sell to customers are not used in Internet applications, and to add
>> another configuration step to enable the router to do what routers
>> traditionally do by default would be very confusing to the end user.
>
>Wait just one minute there.
>
>You're saying that Corporate America *relies* on being able to to
>IP source address spoofing through the routers it builds its commercial
>private networks with?


Well, I wasn't quite thinking here.  The original post had said
something about making a router check to see if a packet came from
a locally configured interface, which I said would not be a good
idea.  Obviously, though, for non-local networks the router would have
a route table entry to get back to it, even if it jumps through
three other routers.

That being said, we *could* have a configuration option that makes
a router check its routing table to make sure a packet coming in an
interface has a route back out that same interface.  This should
not be a default option, though, since there are often two paths
to a destination and the routing table may not match where the packet
came from.  That's not the best English, but you get it..

What would doubling the number of route table lookups do from a 
performance standpoint?  Since I would envision this as an edge-router
type thing, I would assume the impact would not be that great.

-Jon

     -----------------------------------------------------------------
    *      Jon Green            *         "Life's a dance             *
   *   jcgreen@netINS.net       *          you learn as you go"        *
  *  Finger for Geek Code/PGP   *                                       *
 *  #include "std_disclaimer.h" * http://www.netins.net/showcase/jcgreen *
 -------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic