Subject: Re: illegal network routes and a ponderance
To: None <email@example.com>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Date: 02/19/2003 18:06:41
>> For better or worse, source routing is disabled in most routers for
>> security reasons.
Or rather, for illusion-of-security reasons. There's not that much
software left that makes security decisions based on packets' source
addresses, and such software has always been buggy.
> What does it mean? They won't forward any packets with the source
> route option, or just those whose loose-source-route option
> explicitely mentions the router in question?
Usually the former, I think, though I haven't investigated much.
> The former would be bad.
Yes, it is. It's like a lot of "security" decisions, breaking a useful
facility to "protect" buggy software, rather than just fixing the
stupid bugs in the first place.
> I also believe that in IPv6 world you cannot just disable the Source
> Routing feature (called Routing Header ) because it is necessary for
> mobility (don't remember the details, but will look at it).
That wouldn't stop some people. LSRR and SSRR were a useful feature of
IPv4, but people didn't hesitate to break them in the name of security;
I don't expect them to hesitate to break whatever the routing header
supports in the name of security.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML firstname.lastname@example.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B