North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New router feature - icmp error source-interface [was: icmp rpf]

  • From: Patrick W. Gilmore
  • Date: Mon Sep 25 20:02:48 2006

On Sep 25, 2006, at 5:40 PM, Richard A Steenbergen wrote:
On Mon, Sep 25, 2006 at 09:22:34AM -0400, Patrick W. Gilmore wrote:
On Sep 25, 2006, at 9:06 AM, Ian Mason wrote:

ICMP packets will, by design, originate from the incoming interface
used by the packet that triggers the ICMP packet. Thus giving an
interface an address is implicitly giving that interface the
ability to source packets with that address to potential anywhere
in the Internet. If you don't legitimately announce address space
then sourcing packets with addresses in that space is (one
definition of) spoofing.
Who thinks it would be a "good idea" to have a knob such that ICMP
error messages are always source from a certain IP address on a router?
You know I was just having this discussion with someone else a couple days
ago. It turns out, much to my surprise, that the RFC actually calls for
the ICMP error-message packet (as you said, the things that aren't ping
etc which require a specific source-address) to originate from the
OUTGOING interface used to return the ICMP message to the original sender.
After much googling, I can't find any document where this has ever been
officially updated either. The defacto industry standard on the other hand
has been to use the primary address of the inbound interface, which serves
exactly one function: it makes traceroute work.
I have not read the RFC in full, but after chatting with Daniel offline (see, some people actually do talk without posting! :), I believe this only applies to packets addressed to the router.

Since packets going -through- the router have absolutely no guarantee what source will be used coming back, I don't seen an issue here. Just change the idea such that it only is used for error messages to packets where the dest addy is not an interface on the router.

Also, this makes traceroute -easier- to use. Suddenly all interfaces on the same router have the same IP address, thereby making it easy to tell if two traceroutes intersect, even if they use different interfaces.

Oh, and who said RFCs can't be updated? :-)

(Unless, of course, I get 726384 "you are off-topic" replies, in
which case I withdraw the suggestion.)
Please stop talking about networking on NANOG, you're confusing people. :)
I knew someone would flame me for it. :)