Subject: Re: illegal network routes and a ponderance
To: None <tech-net@netbsd.org>
From: Seth Kurtzberg <seth@cql.com>
List: tech-net
Date: 02/19/2003 16:53:38
I wasn't implying that it is a good idea. :) I agree with der Mouse that it
is uncommon in recent equipment, but I see a lot of old routers still in use.
On Wednesday 19 February 2003 04:06 pm, der Mouse wrote:
> >> For better or worse, source routing is disabled in most routers for
> >> security reasons.
>
> Or rather, for illusion-of-security reasons. There's not that much
> software left that makes security decisions based on packets' source
> addresses, and such software has always been buggy.
>
> > What does it mean? They won't forward any packets with the source
> > route option, or just those whose loose-source-route option
> > explicitely mentions the router in question?
>
> Usually the former, I think, though I haven't investigated much.
>
> > The former would be bad.
>
> Yes, it is. It's like a lot of "security" decisions, breaking a useful
> facility to "protect" buggy software, rather than just fixing the
> stupid bugs in the first place.
>
> > I also believe that in IPv6 world you cannot just disable the Source
> > Routing feature (called Routing Header ) because it is necessary for
> > mobility (don't remember the details, but will look at it).
>
> That wouldn't stop some people. LSRR and SSRR were a useful feature of
> IPv4, but people didn't hesitate to break them in the name of security;
> I don't expect them to hesitate to break whatever the routing header
> supports in the name of security.
>
> /~\ The ASCII der Mouse
> \ / Ribbon Campaign
> X Against HTML mouse@rodents.montreal.qc.ca
> / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
--
Seth Kurtzberg
M. I. S. Corp.
480-661-1849
seth@cql.com