Mailing List Archive: NANOG: users

ip options

Index | Next | Previous | View Threaded

bit.gossip at chello

Oct 28, 2009, 12:05 PM

Post #1 of 9 (710 views)
Permalink

ip options

Experts,
out of the well-known values for ip options:

X [at] r# set ip-options ?
Possible completions:
<range> Range of values
[ Open a set of values
any Any IP option
loose-source-route Loose source route
route-record Route record
router-alert Router alert
security Security
stream-id Stream ID
strict-source-route Strict source route
timestamp Timestamp

I can only think of:
- RSVP using router-alert
- ICMP using route-record, timestamp

But I can not think of any other use of any other IP option.
Considering the security hazard that they imply, I am therefore thinking
to drop them.

Is any other ip options used by: ospf, isis, bgp, ldp, igmp, pim, bfd?
Thanks,
Luca.

dciccaro at cisco

Oct 28, 2009, 12:17 PM

Post #2 of 9 (684 views)
Permalink

RE: ip options [In reply to]

Luca:

Check
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/s
ec_acl_sel_drop_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1
043334

Not the whole story, but :)

Hope it helps,
Dario

> -----Original Message-----
> From: Luca Tosolini [mailto:bit.gossip [at] chello]
> Sent: Wednesday, October 28, 2009 3:06 PM
> To: nanog
> Subject: ip options
>
> Experts,
> out of the well-known values for ip options:
>
> X [at] r# set ip-options ?
> Possible completions:
> <range> Range of values
> [ Open a set of values
> any Any IP option
> loose-source-route Loose source route
> route-record Route record
> router-alert Router alert
> security Security
> stream-id Stream ID
> strict-source-route Strict source route
> timestamp Timestamp
>
> I can only think of:
> - RSVP using router-alert
> - ICMP using route-record, timestamp
>
> But I can not think of any other use of any other IP option.
> Considering the security hazard that they imply, I am
> therefore thinking
> to drop them.
>
> Is any other ip options used by: ospf, isis, bgp, ldp, igmp, pim, bfd?
> Thanks,
> Luca.
>
>
>

rdobbins at arbor

Oct 28, 2009, 12:20 PM

Post #3 of 9 (680 views)
Permalink

Re: ip options [In reply to]

On Oct 29, 2009, at 2:05 AM, Luca Tosolini wrote:

> Considering the security hazard that they imply, I am therefore
> thinking
> to drop them.

You should certainly consider the impact on traceroute and possibly
QoS (i.e., RSVP, if it's relevant) in your environment.

Some vendors/platforms also have the option to ignore, rather than drop.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins [at] arbor> // <http://www.arbornetworks.com>

Sorry, sometimes I mistake your existential crises for technical
insights.

-- xkcd #625

rbonica at juniper

Nov 3, 2009, 12:44 PM

Post #4 of 9 (626 views)
Permalink

Re: ip options [In reply to]

Folks,

I would love to see the IETF OPSEC WG publish a document on the pros and
cons of filtering optioned packets.

Would anybody on this list be willing to author an Internet Draft?

Ron
(co-director IETF O&M Area)

Luca Tosolini wrote:
> Experts,
> out of the well-known values for ip options:
>
> X [at] r# set ip-options ?
> Possible completions:
> <range> Range of values
> [ Open a set of values
> any Any IP option
> loose-source-route Loose source route
> route-record Route record
> router-alert Router alert
> security Security
> stream-id Stream ID
> strict-source-route Strict source route
> timestamp Timestamp
>
> I can only think of:
> - RSVP using router-alert
> - ICMP using route-record, timestamp
>
> But I can not think of any other use of any other IP option.
> Considering the security hazard that they imply, I am therefore thinking
> to drop them.
>
> Is any other ip options used by: ospf, isis, bgp, ldp, igmp, pim, bfd?
> Thanks,
> Luca.
>
>
>

joelja at bogus

Nov 3, 2009, 7:41 PM

Post #5 of 9 (617 views)
Permalink

Re: ip options [In reply to]

How about unused and/or private/local diffserve code points?

Ron Bonica wrote:
> Folks,
>
> I would love to see the IETF OPSEC WG publish a document on the pros and
> cons of filtering optioned packets.
>
> Would anybody on this list be willing to author an Internet Draft?
>
> Ron
> (co-director IETF O&M Area)
>
> Luca Tosolini wrote:
>> Experts,
>> out of the well-known values for ip options:
>>
>> X [at] r# set ip-options ?
>> Possible completions:
>> <range> Range of values
>> [ Open a set of values
>> any Any IP option
>> loose-source-route Loose source route
>> route-record Route record
>> router-alert Router alert
>> security Security
>> stream-id Stream ID
>> strict-source-route Strict source route
>> timestamp Timestamp
>>
>> I can only think of:
>> - RSVP using router-alert
>> - ICMP using route-record, timestamp
>>
>> But I can not think of any other use of any other IP option.
>> Considering the security hazard that they imply, I am therefore thinking
>> to drop them.
>>
>> Is any other ip options used by: ospf, isis, bgp, ldp, igmp, pim, bfd?
>> Thanks,
>> Luca.
>>
>>
>>
>

isabeldias1 at yahoo

Nov 4, 2009, 6:54 AM

Post #6 of 9 (618 views)
Permalink

Re: ip options [In reply to]

:-)

----- Original Message ----
From: joel jaeggli <joelja [at] bogus>
To: Ron Bonica <rbonica [at] juniper>
Cc: nanog <nanog [at] nanog>
Sent: Wed, November 4, 2009 3:41:26 AM
Subject: Re: ip options

How about unused and/or private/local diffserve code points?

Ron Bonica wrote:
> Folks,
>
> I would love to see the IETF OPSEC WG publish a document on the pros and
> cons of filtering optioned packets.
>
> Would anybody on this list be willing to author an Internet Draft?
>
>� � � � � � � � � � � � � � � � � � � Ron
>� � � � � � � � � � � � � � � � � � � (co-director IETF O&M Area)
>
> Luca Tosolini wrote:
>> Experts,
>> out of the well-known values for ip options:
>>
>> X [at] r# set ip-options ?
>> Possible completions:
>>� <range>� � � � � � � Range of values
>>� [� � � � � � � � � � Open a set of values
>>� any� � � � � � � � � Any IP option
>>� loose-source-route� Loose source route
>>� route-record� � � � Route record
>>� router-alert� � � � Router alert
>>� security� � � � � � Security
>>� stream-id� � � � � � Stream ID
>>� strict-source-route� Strict source route
>>� timestamp� � � � � � Timestamp
>>
>> I can only think of:
>> - RSVP using router-alert
>> - ICMP using route-record, timestamp
>>
>> But I can not think of any other use of any other IP option.
>> Considering the security hazard that they imply, I am therefore thinking
>> to drop them.
>>
>> Is any other ip options used by: ospf, isis, bgp, ldp, igmp, pim, bfd?
>> Thanks,
>> Luca.
>>
>>
>>
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

morrowc.lists at gmail

Nov 17, 2011, 7:07 AM

Post #7 of 9 (78 views)
Permalink

Re: IP Options [In reply to]

got pcaps?

On Thu, Nov 17, 2011 at 10:04 AM, harbor235 <harbor235 [at] gmail> wrote:
> Is it just me or has there been an increase in packets with IP options set
> hitting
> our front door? There are ways to mitigate e.g. IP options selective
> discard, and ACL
> IP options support. ACL entries on the edge appear to be the best
> way identify and log the source.
> IP options selective discard drops packets silently so from my view they
> are not as effective.
>
> Is anyone doing anything else to identify and mitigate? �I have been seeing
> hits on our firewalls
> but would rather take care of it at our edge with little or no impact.
>
>
> Mike
>

harbor235 at gmail

Nov 17, 2011, 7:17 AM

Post #8 of 9 (78 views)
Permalink

Re: IP Options [In reply to]

Sure, but mirroring a port on the edge may not be the best way to go, ACL
hits and logs
dumped to syslog may be the best approach. So if your capturing traffic how
are you mitigating this traffic
with minimal impact?

Mike

On Thu, Nov 17, 2011 at 10:07 AM, Christopher Morrow <
morrowc.lists [at] gmail> wrote:

> got pcaps?
>
> On Thu, Nov 17, 2011 at 10:04 AM, harbor235 <harbor235 [at] gmail> wrote:
> > Is it just me or has there been an increase in packets with IP options
> set
> > hitting
> > our front door? There are ways to mitigate e.g. IP options selective
> > discard, and ACL
> > IP options support. ACL entries on the edge appear to be the best
> > way identify and log the source.
> > IP options selective discard drops packets silently so from my view they
> > are not as effective.
> >
> > Is anyone doing anything else to identify and mitigate? I have been
> seeing
> > hits on our firewalls
> > but would rather take care of it at our edge with little or no impact.
> >
> >
> > Mike
> >
>

morrowc.lists at gmail

Nov 17, 2011, 7:20 AM

Post #9 of 9 (76 views)
Permalink

Re: IP Options [In reply to]

On Thu, Nov 17, 2011 at 10:17 AM, harbor235 <harbor235 [at] gmail> wrote:
> Sure, but mirroring a port on the edge may not be the best way to go, ACL
> hits and logs
> dumped to syslog may be the best approach. So if your capturing traffic how
> are you mitigating this traffic
> with minimal impact?
>

sorry, my question was: "Do you have some pcaps, I'd be interested in
seeing what sort of packets you are seeing with options added to
them."

I've seen things like mcast/pim/etc that will do this, and RSVP, I've
not seen in-the-wild packets with options being a 'problem', though in
theory they can be painful :(

Some vendor gear has 'no ip-options' as an option...(which is really,
'ignore ip options', I believe), some has the ability to filter based
on option(s).

-chris

> Mike
>
> On Thu, Nov 17, 2011 at 10:07 AM, Christopher Morrow
> <morrowc.lists [at] gmail> wrote:
>>
>> got pcaps?
>>
>> On Thu, Nov 17, 2011 at 10:04 AM, harbor235 <harbor235 [at] gmail> wrote:
>> > Is it just me or has there been an increase in packets with IP options
>> > set
>> > hitting
>> > our front door? There are ways to mitigate e.g. IP options selective
>> > discard, and ACL
>> > IP options support. ACL entries on the edge appear to be the best
>> > way identify and log the source.
>> > IP options selective discard drops packets silently so from my view they
>> > are not as effective.
>> >
>> > Is anyone doing anything else to identify and mitigate? �I have been
>> > seeing
>> > hits on our firewalls
>> > but would rather take care of it at our edge with little or no impact.
>> >
>> >
>> > Mike
>> >
>
>

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads