North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: New router feature - icmp error source-interface [was: icmp rpf]
- From: Payam Tarverdyan Chychi
- Date: Tue Sep 26 01:24:24 2006
Joseph S D Yao wrote:
On Mon, Sep 25, 2006 at 09:22:34AM -0400, Patrick W. Gilmore wrote:Why not just do a show ip route? since you can actually verify the
information against your routing table.
Who thinks it would be a "good idea" to have a knob such that ICMP
error messages are always source from a certain IP address on a router?...
I've sometimes thought it would be useful when I wanted to hide a route.
But security via obscurity just makes it that much harder to fix
something. Many more times than this would have been useful, I've been
able to identify at which router a problem was by a 'traceroute' that
told me into which router by which interface I was going. When the
owner of the router might not even have known. Or I have had attempts
to do this foiled by routers that used an internal loopback IP address.
On the whole, then, I guess I would vote, "no".
This way you can see when the route was learned, where was it learned
from and how long ago it was last updated...
the problem is that too many people "engineers" rely on traceroute...
sure traceroute is a wonderful tool, however it is meant to assist you
in "tracking down" the problem.
I've seen far too many "you are filtering, investigate please" when all
that has been done is implementing acls and rate limiting.
IMO, If you want to implement a non-routable ip space to protect your
backbone... go for it
if you want to icmp rate limit *i know level3 does this out of both nyc
and la* which causes mass threads of "we are getting packet loss, please
investigate" go for it ..
if your network engineers are not equipped with the information to how
to fully diagnose a network/problem.... you should think about new hires.