[c-nsp] Hiding a Cisco Router from a Traceroute
Kristofer Sigurdsson
kristo at ipf.is
Mon Oct 24 10:56:43 EDT 2005
On Mon, 2005-10-24 at 15:33 +0100, Robert Kiessling wrote:
> Adam Greene wrote:
> > Following up on this discussion ... in effect, we "block" traceroutes by
> > implementing private IP addresses on router interfaces within our network.
> > We viewed the utilization of private IP addresses as a security enhancement
> > (i.e. the internal routers will never be victims of DoS attacks originating
> > from outside our network).
>
> Implementing private IP addresses on links between your routers
> violates RFC1918 unless you implement filters on your borders.
> You still originate the ICMPs and they still reach the sources
> (unless filtered). This is a very bad idea.
Since these addresses are meant for use for networks not connected
to the Internet (see sec. 2 of RFC1918), this violates RFC1918, filters
or no filters.
>
> One solution to your problem is to use addresses for the links
> which are assigned to you (eg. by ARIN or RIPE or an intermediary)
> but which are not advertised in the DFZ. You can for example
> getting PI addresses separate from your normal PA addresses.
>
> This way users see the same traceroute results including reverse
> DNS, but noone outside your AS can directly reach your routers.
>
> There is a catch though. Some networks implement lose RPF filters
> which in this case means your ICMP responses will be filtered by
> those networks and not reach external users tracerouting to you.
>
> There is a workaround though. You can advertise that netblock
> from somewhere external to your network to "trick" the lose RPF
If you use addresses for your router interfaces that cannot be reached
from the general user, or if you filter ICMP to/from the interfaces
somehow, you will break MTU path discovery, thereby making your users
unable to reach a significant part of the Internet, and possibly a large
number of users will be unable to reach your services (eg. www).
--
Kristófer Sigurðsson Tel: +354 414 1600
Netrekstur/Network Operations IP Fjarskipti ehf.
More information about the cisco-nsp
mailing list