|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: LSR and packet filters
Vadim Antonov <[email protected]> writes: > Hey, LSR is useful for all kinds of very interesting > denial of service attacks. A clever combination of LSR and > forged source addresses may make the attack virtually > untraceable. The denials-of-service are generally driven by poor implementation of networking software, much of which has been corrected. Moreover, in the case of LSR-using source-forged attacks, tracing becomes *easier* because you need only trap on LSR traffic and work backwards. What is *hard* is source-forged attacks which are in profile and option-free. > Useful for what? traceroute -g is the _only_ useful > application for LSR. Disabling LSR and adding an application > level service for tracing back would be just as useful. There are several people here who have mentioned on and off that LSR telnet is extremely handy to them. If you could send traffic using LSR and pay less severely for using the option in older routers, then I can think of several applications for sending lots of traffic with the LSR option toggled at the source. I can equally think of useful applications for SSR. > Encryption is an overkill for 99% of all applications. No argument here. :) > Disabling LSR and doing SA filtering can take care of > _most_ security problems. And it is computationally > cheap. SA filtering is more useful than disabling LSR. What does the additional disabling of LSR on top of ubiquitous source address filtering buy you really? > This will not make the network absolutely secure (there ain't > no such thing as absolute security), but it definitely will > make it _more_ secure. So will turning it all off, the ultimate in the utility vs security trade-off. > How'd you like to get a stream of nasty bogons aimed at > your router(s) and arriving from virtually all directions? > There's a number of ways to kill ciscos with pretty low-rate > streams. If I had a BFR up and running, this would make an interesting test to prove the design point of handling fully-decorated micropackets at line rate across fully half of all the interfaces in a fully-decked-out box. Talk to Peter about beating on one of his, or come back to me and BC in a couple weeks. (It would be equally interesting to beat on a fully decked out 75xx box with modern VIPs and dFIB, I guess. We both already know what happens when you even sneeze funny in the presence of an RP, although SPD is pretty cool at avoiding the "gee your router is unavailable" problem.) Sean.
|