[c-nsp] Hiding a Cisco Router from a Traceroute
Joe Maimon
jmaimon at ttec.com
Fri Nov 18 08:49:23 EST 2005
Robert Kiessling wrote:
> Adam Greene wrote:
>
>>Following up on this discussion ... in effect, we "block" traceroutes by
>>implementing private IP addresses on router interfaces within our network.
>>We viewed the utilization of private IP addresses as a security enhancement
>>(i.e. the internal routers will never be victims of DoS attacks originating
>>from outside our network).
>
>
> Implementing private IP addresses on links between your routers
> violates RFC1918 unless you implement filters on your borders.
> You still originate the ICMPs and they still reach the sources
> (unless filtered). This is a very bad idea.
>
> One solution to your problem is to use addresses for the links
> which are assigned to you (eg. by ARIN or RIPE or an intermediary)
> but which are not advertised in the DFZ. You can for example
> getting PI addresses separate from your normal PA addresses.
The other solution involves nat. Which can become problematic quickly.
However, it sure would be nice to be able to have all otherwise
meaningless ip addresses for links in a router be rfc1918, with the
ability to lowprocesser intensive nat ICMP generated from the box itself
without involving any other traffic transitting any other interfaces.
Something similar to ip local policy-route would be nice for nat.
So you could sum up hundreds of rfc1918 interface addresses into one
loopback public address null routed in your AS, but part of a prefix
announced to to the world, with no leakage, no change of route direction
for the ICMP replies and without having to reveal specifics other than a
chosen address identifier for the box.
More information about the cisco-nsp
mailing list