Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

ip options

  

 
NANOG users RSS feed   Index | Next | Previous | View Threaded


bit.gossip at chello

Oct 28, 2009, 12:05 PM

Post #1 of 6 (147 views)
Permalink
ip options
Experts,
out of the well-known values for ip options:

X[at]r4# set ip-options ?
Possible completions:
<range> Range of values
[ Open a set of values
any Any IP option
loose-source-route Loose source route
route-record Route record
router-alert Router alert
security Security
stream-id Stream ID
strict-source-route Strict source route
timestamp Timestamp

I can only think of:
- RSVP using router-alert
- ICMP using route-record, timestamp

But I can not think of any other use of any other IP option.
Considering the security hazard that they imply, I am therefore thinking
to drop them.

Is any other ip options used by: ospf, isis, bgp, ldp, igmp, pim, bfd?
Thanks,
Luca.


dciccaro at cisco

Oct 28, 2009, 12:17 PM

Post #2 of 6 (144 views)
Permalink
RE: ip options [In reply to]
Luca:

Check
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/s
ec_acl_sel_drop_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1
043334

Not the whole story, but :)

Hope it helps,
Dario


> -----Original Message-----
> From: Luca Tosolini [mailto:bit.gossip[at]chello.nl]
> Sent: Wednesday, October 28, 2009 3:06 PM
> To: nanog
> Subject: ip options
>
> Experts,
> out of the well-known values for ip options:
>
> X[at]r4# set ip-options ?
> Possible completions:
> <range> Range of values
> [ Open a set of values
> any Any IP option
> loose-source-route Loose source route
> route-record Route record
> router-alert Router alert
> security Security
> stream-id Stream ID
> strict-source-route Strict source route
> timestamp Timestamp
>
> I can only think of:
> - RSVP using router-alert
> - ICMP using route-record, timestamp
>
> But I can not think of any other use of any other IP option.
> Considering the security hazard that they imply, I am
> therefore thinking
> to drop them.
>
> Is any other ip options used by: ospf, isis, bgp, ldp, igmp, pim, bfd?
> Thanks,
> Luca.
>
>
>


rdobbins at arbor

Oct 28, 2009, 12:20 PM

Post #3 of 6 (141 views)
Permalink
Re: ip options [In reply to]
On Oct 29, 2009, at 2:05 AM, Luca Tosolini wrote:

> Considering the security hazard that they imply, I am therefore
> thinking
> to drop them.

You should certainly consider the impact on traceroute and possibly
QoS (i.e., RSVP, if it's relevant) in your environment.

Some vendors/platforms also have the option to ignore, rather than drop.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins[at]arbor.net> // <http://www.arbornetworks.com>

Sorry, sometimes I mistake your existential crises for technical
insights.

-- xkcd #625


rbonica at juniper

Nov 3, 2009, 12:44 PM

Post #4 of 6 (85 views)
Permalink
Re: ip options [In reply to]
Folks,

I would love to see the IETF OPSEC WG publish a document on the pros and
cons of filtering optioned packets.

Would anybody on this list be willing to author an Internet Draft?

Ron
(co-director IETF O&M Area)

Luca Tosolini wrote:
> Experts,
> out of the well-known values for ip options:
>
> X[at]r4# set ip-options ?
> Possible completions:
> <range> Range of values
> [ Open a set of values
> any Any IP option
> loose-source-route Loose source route
> route-record Route record
> router-alert Router alert
> security Security
> stream-id Stream ID
> strict-source-route Strict source route
> timestamp Timestamp
>
> I can only think of:
> - RSVP using router-alert
> - ICMP using route-record, timestamp
>
> But I can not think of any other use of any other IP option.
> Considering the security hazard that they imply, I am therefore thinking
> to drop them.
>
> Is any other ip options used by: ospf, isis, bgp, ldp, igmp, pim, bfd?
> Thanks,
> Luca.
>
>
>


joelja at bogus

Nov 3, 2009, 7:41 PM

Post #5 of 6 (84 views)
Permalink
Re: ip options [In reply to]
How about unused and/or private/local diffserve code points?


Ron Bonica wrote:
> Folks,
>
> I would love to see the IETF OPSEC WG publish a document on the pros and
> cons of filtering optioned packets.
>
> Would anybody on this list be willing to author an Internet Draft?
>
> Ron
> (co-director IETF O&M Area)
>
> Luca Tosolini wrote:
>> Experts,
>> out of the well-known values for ip options:
>>
>> X[at]r4# set ip-options ?
>> Possible completions:
>> <range> Range of values
>> [ Open a set of values
>> any Any IP option
>> loose-source-route Loose source route
>> route-record Route record
>> router-alert Router alert
>> security Security
>> stream-id Stream ID
>> strict-source-route Strict source route
>> timestamp Timestamp
>>
>> I can only think of:
>> - RSVP using router-alert
>> - ICMP using route-record, timestamp
>>
>> But I can not think of any other use of any other IP option.
>> Considering the security hazard that they imply, I am therefore thinking
>> to drop them.
>>
>> Is any other ip options used by: ospf, isis, bgp, ldp, igmp, pim, bfd?
>> Thanks,
>> Luca.
>>
>>
>>
>


isabeldias1 at yahoo

Nov 4, 2009, 6:54 AM

Post #6 of 6 (81 views)
Permalink
Re: ip options [In reply to]
:-)



----- Original Message ----
From: joel jaeggli <joelja[at]bogus.com>
To: Ron Bonica <rbonica[at]juniper.net>
Cc: nanog <nanog[at]nanog.org>
Sent: Wed, November 4, 2009 3:41:26 AM
Subject: Re: ip options

How about unused and/or private/local diffserve code points?


Ron Bonica wrote:
> Folks,
>
> I would love to see the IETF OPSEC WG publish a document on the pros and
> cons of filtering optioned packets.
>
> Would anybody on this list be willing to author an Internet Draft?
>
>                                      Ron
>                                      (co-director IETF O&M Area)
>
> Luca Tosolini wrote:
>> Experts,
>> out of the well-known values for ip options:
>>
>> X[at]r4# set ip-options ?
>> Possible completions:
>>  <range>              Range of values
>>  [                    Open a set of values
>>  any                  Any IP option
>>  loose-source-route  Loose source route
>>  route-record        Route record
>>  router-alert        Router alert
>>  security            Security
>>  stream-id            Stream ID
>>  strict-source-route  Strict source route
>>  timestamp            Timestamp
>>
>> I can only think of:
>> - RSVP using router-alert
>> - ICMP using route-record, timestamp
>>
>> But I can not think of any other use of any other IP option.
>> Considering the security hazard that they imply, I am therefore thinking
>> to drop them.
>>
>> Is any other ip options used by: ospf, isis, bgp, ldp, igmp, pim, bfd?
>> Thanks,
>> Luca.
>>
>>
>>
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.