Subject: Re: illegal network routes and a ponderance
To: None <tech-net@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-net
Date: 02/19/2003 18:06:41
>> For better or worse, source routing is disabled in most routers for
>> security reasons.

Or rather, for illusion-of-security reasons.  There's not that much
software left that makes security decisions based on packets' source
addresses, and such software has always been buggy.

> What does it mean?  They won't forward any packets with the source
> route option, or just those whose loose-source-route option
> explicitely mentions the router in question?

Usually the former, I think, though I haven't investigated much.

> The former would be bad.

Yes, it is.  It's like a lot of "security" decisions, breaking a useful
facility to "protect" buggy software, rather than just fixing the
stupid bugs in the first place.

> I also believe that in IPv6 world you cannot just disable the Source
> Routing feature (called Routing Header ) because it is necessary for
> mobility (don't remember the details, but will look at it).

That wouldn't stop some people.  LSRR and SSRR were a useful feature of
IPv4, but people didn't hesitate to break them in the name of security;
I don't expect them to hesitate to break whatever the routing header
supports in the name of security.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B