Subject: Re: illegal network routes and a ponderance
To: None <tech-net@netbsd.org>
From: Seth Kurtzberg <seth@cql.com>
List: tech-net
Date: 02/19/2003 16:53:38
I wasn't implying that it is a good idea.  :)  I agree with der Mouse that it 
is uncommon in recent equipment, but I see a lot of old routers still in use.

On Wednesday 19 February 2003 04:06 pm, der Mouse wrote:
> >> For better or worse, source routing is disabled in most routers for
> >> security reasons.
>
> Or rather, for illusion-of-security reasons.  There's not that much
> software left that makes security decisions based on packets' source
> addresses, and such software has always been buggy.
>
> > What does it mean?  They won't forward any packets with the source
> > route option, or just those whose loose-source-route option
> > explicitely mentions the router in question?
>
> Usually the former, I think, though I haven't investigated much.
>
> > The former would be bad.
>
> Yes, it is.  It's like a lot of "security" decisions, breaking a useful
> facility to "protect" buggy software, rather than just fixing the
> stupid bugs in the first place.
>
> > I also believe that in IPv6 world you cannot just disable the Source
> > Routing feature (called Routing Header ) because it is necessary for
> > mobility (don't remember the details, but will look at it).
>
> That wouldn't stop some people.  LSRR and SSRR were a useful feature of
> IPv4, but people didn't hesitate to break them in the name of security;
> I don't expect them to hesitate to break whatever the routing header
> supports in the name of security.
>
> /~\ The ASCII				der Mouse
> \ / Ribbon Campaign
>  X  Against HTML	       mouse@rodents.montreal.qc.ca
> / \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

-- 
Seth Kurtzberg
M. I. S. Corp.
480-661-1849
seth@cql.com