Re: [OPSEC] post iesg final version of draft-ietf-opsec-ip-options-filtering (07)

Sun, 15 Dec 2013 07:58:27 -0800 

On Sun, 15 Dec 2013, Smith, Donald wrote:
> This:
> Please note that treating packets with LSRR as if they did not  
>        contain this option can result in such packets being sent to a  
>        different device that the initially intended destination.  With  
>        appropriate ingress filtering this should not open an attack vector  
>        into the infrastructure.  Nonetheless, it could result in traffic  
>        that would never reach the initially intended destination.  Dropping  
>        these packets prevents unnecessary network traffic, and does not make  
>        end-to-end communication any worse.  
>                                             
> 
> Should be this:
> Please note that treating packets with LSRR as if they did not  
>        contain this option can result in such packets being sent to a  
>        different device THAN the initially intended destination.  With  
>        appropriate ingress filtering this should not open an attack vector  
>        into the infrastructure.  Nonetheless, it could result in traffic  
>        that would never reach the initially intended destination.  Dropping  
>        these packets prevents unnecessary network traffic, and does not make  
>        end-to-end communication any worse.  
>                                             
> It also isn't true:(

Actually, it IS true.

> Consider a LSRR A-B-C-D

In this case, when the packet is originated the destination address 
in the IP header is A and the LSRR route contains BCD with the 
pointer pointing to B.

> If A received it and ignores it (including the record route part) 
> and hands it off to something next to A (1 hop away) that device 
> could hand it back to A (since it should be in the RR path but 
> isn't) causing a loop that bounces between A and it neighbor until 
> the ttl expires right? So not only did it not arrive at the 
> destination it also could be used to ddos A.

No.  If A receives the packet and ignores LSRR it won't forward the 
packet at all; rather, it will assume that the packet is destined 
for itself because the destination address in the IP header is A.  
In other words, the packet will be delivered to A and not to D.

//xmh
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec

Reply via email to