source-route
Robert Hanson
how does the statement below affect my core router if in effect?
no ip source-route
what if it is not in effect?
tia!
- rh
Manfred Kwiatkowski
>
> how does the statement below affect my core router if in effect?
>
> no ip source-route
traceroute -g will not work
>
> what if it is not in effect?
it depends...
--
Manfred Kwiatkowski kwiat...@zrz.tu-berlin.de
Ravi
The no ip source-route command instructs the router to discard IP packets
with source-routing information. Since such packets can be used to
circumvent routes in the routing tables, they pose a security threat. For
this reason, I would recommend implementing the command on any firewall
routers.
If the command is not in effect, the router will forward the packet
according to the source-routing information it provides.... In the unlikely
event that you have applications that use source-routed IP packets, this is
what you want to do (on your internal routers).
Ravi Sakaria
The Aiko Group
Information Technology Consultants
ra...@aikogroup.com
Robert Hanson wrote in message <9077535...@news.Colorado.EDU>...
>
>how does the statement below affect my core router if in effect?
>
>no ip source-route
>
>what if it is not in effect?
>
>tia!
>
> - rh
>
Dennis Wind
perfectly ok.
Dennis
jwhi...@hotmail.com
no service finger
and disabling CDP on your external connections
and no ip directed-brodcast on any CSMA/CD networks
jon
> Robert,
>
> The no ip source-route command instructs the router to discard IP packets
> with source-routing information. Since such packets can be used to
> circumvent routes in the routing tables, they pose a security threat. For
> this reason, I would recommend implementing the command on any firewall
> routers.
>
> If the command is not in effect, the router will forward the packet
> according to the source-routing information it provides.... In the unlikely
> event that you have applications that use source-routed IP packets, this is
> what you want to do (on your internal routers).
>
> Ravi Sakaria
> The Aiko Group
> Information Technology Consultants
> ra...@aikogroup.com
>
> Robert Hanson wrote in message <9077535...@news.Colorado.EDU>...
> >
> >how does the statement below affect my core router if in effect?
> >
> >no ip source-route
> >
> >what if it is not in effect?
> >
> >tia!
> >
> > - rh
> >
>
>
-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
JRA...@keyfin.com
ip source-route refers to a part of the packet that can be manipulated to
alter the source-routing information, or the information back to the sender
to differ. This is a security risk, since a hacker could modify the
source-route to reflect his/her own, although the packet may appear to have
a valid source address. It is my understanding that most applications no
longer use source-route information. It is a safe and wise tatic to use
the "no ip source-route".
Jason
rob...@cet.com on 10/07/98 03:39:45 AM
To: ci...@spot.colorado.edu
cc: (bcc: Jason T Rakers/Keystone Data Services)
Subject: source-route
Paul Ferguson
needed security to your router -- it disallows the transit of
loose source-routed IP packets.
The vulnerability of allowing source-routed IP packets is that you
could unwittingly allow traffic into a "restricted" portion of your
network which falsely claimed to have originated from a network you
may consider "trusted," or possibly claiming to have originated from
within your own network itself.
The problem with disabling it is that it then disables the ability to
troubleshoot connectivity problems using the "traceroute -g" option,
therefore disabling loose source-routing in core backbones is generally
discouraged by larger service providers, since it throws a major monkey
wrench into their ability to remotely troubleshoot connectivity problems.
It is a generally accepted practice, however, for smaller networks to
disable it at the entrance to their organizational networks.
Although a little dated, see:
Increasing Security On IP Networks
http://www.cisco.com/warp/public/701/31.html
- paul
At 12:39 AM 10/7/98 -0700, Robert Hanson wrote:
>
>how does the statement below affect my core router if in effect?
>
>no ip source-route
>
>what if it is not in effect?
>
>tia!
>
> - rh
--
Paul Ferguson || ||
Consulting Engineering || ||
Internet Architecture |||| ||||
Herndon, Virginia USA ..:||||||:..:||||||:..
mailto:ferg...@cisco.com c i s c o S y s t e m s
Paul Ferguson
>ip source-route refers to a part of the packet that can be manipulated to
>alter the source-routing information, or the information back to the sender
>to differ. This is a security risk, since a hacker could modify the
>source-route to reflect his/her own, although the packet may appear to have
>a valid source address. It is my understanding that most applications no
>longer use source-route information. It is a safe and wise tatic to use
>the "no ip source-route".
Again:
The problem with disabling loose source-routing it is that it breaks the
ability to troubleshoot connectivity problems using the "traceroute -g" option,
therefore disabling loose source-routing in core backbones is generally
discouraged by larger service providers, since it throws a major monkey
wrench into their ability to remotely troubleshoot connectivity problems.
It is a generally accepted practice, however, for smaller networks to
disable it at the entrance to their organizational networks.
- paul
Rolf Weber
>
> ip source-route refers to a part of the packet that can be manipulated to
> alter the source-routing information, or the information back to the sender
> to differ. This is a security risk, since a hacker could modify the
> source-route to reflect his/her own, although the packet may appear to have
> a valid source address.
>
of your interfaces - with or without source routing.
Leaving source routing enabled isn't an additional security
risk. Not really.
rolf
William Chops
of your interfaces - with or without source routing.
Leaving source routing enabled isn't an additional security
risk. Not really.
It is because cisco doesn't have an access-list mechanism that checks ALL
of the addresses in the source route.
BillW
Kent Hundley
It would keep the router from forwarding packets that have the almost never
used 'source-route' option. IP packets have the capability for you to
specify in the packet itself the path they should take through a network
instead of allowing the routers to forward based upon routing table.
I've never seen anyone use this option except for hacking purposes. It
allows someone to bypass the routing information in your routers and send
packets from and to destinations that aren't in your routing table. Not a
good idea if your even minimally concerned about security.
There are very few legitimate uses of source-routed packets.
To answer your question, if you have 'no ip source-route' the router will
drop packets with this option enabled.
HTH,
Kent Hundley
kent_h...@ins.com
Tony Rall
Kent Hundley <hund...@ins.com> wrote:
>I've never seen anyone use this option except for hacking purposes. It
>allows someone to bypass the routing information in your routers and send
>packets from and to destinations that aren't in your routing table. Not a
>good idea if your even minimally concerned about security.
>
>There are very few legitimate uses of source-routed packets.
Maybe you've never had any problems that could not be fully diagnosed
unless you can learn the path back to your own system from some
target. Asymmetric routing is the norm in many networks, especially
the Internet.
Loose source routing, if it were enabled on enough routers, when used
on a traceroute, allows you to discover the routing path from any
point in the network to your own system. (Normal traceroute, without
source routing, only shows you the path *from* your system to any
target.)
I don't understand your statement, "allows someone to bypass the
routing information in your routers". Source routing simply means
that instead of routing to the destination address in the header you
may need to route to one of the addresses in the IP Options field of
the header. You continue to use your routing table to do this.
Regardless of the usefulness of source routing, it does create a
security weakness; thus folks connected to untrusted networks
generally should disable it.
--
Tony Rall
Glen Turner
> Maybe you've never had any problems that could not be fully diagnosed
> unless you can learn the path back to your own system from some
> target. Asymmetric routing is the norm in many networks, especially
> the Internet.
The usual way of tracing the reverse route in practice is to
use
one of the web traceroute servers located at a suitable
point.
> Regardless of the usefulness of source routing, it does create a
> security weakness; thus folks connected to untrusted networks
> generally should disable it.
Source routing allows the IP source address in a TCP session
to be forged. This is totally undesirable, as it allows
access lists and TCP-Wrappers to be defeated.
Tony Rall
Glen Turner <glen....@adelaide.edu.au> wrote:
>Source routing allows the IP source address in a TCP session
>to be forged. This is totally undesirable, as it allows
>access lists and TCP-Wrappers to be defeated.
The source address can be forged (and generally is) without using
source routing. What SR might permit is getting a forged source
address past a router's input filters (by bypassing the interface
that has the filters).
--
Tony Rall