[c-nsp] Hiding a Cisco Router from a Traceroute

Adam Greene maillist at webjogger.net
Mon Oct 24 14:04:18 EDT 2005


Thanks for the feedback. It's sounding like the best idea is to use
publically routable IP addresses on my router interfaces, and until I
accomplish that change, make sure filters are in place preventing any
packets from leaving my network with private source IP's. I guess I can set
up ACLs determining what type of traffic I will allow in from the Internet
to my router interface addresses.

The other alternative I understand that Robert is suggesting is utilizing a
block of PI addresses on the routers, and not advertising that block
upstream. However, this would still break traceroute for end-users of
providers implementing loose RPF.

>From that p.o.v. the first option sounds better to me.

One more thing: just to clarify (to better understand the extent of my
error): perhaps the violation of RFC 1918 Kristofer states even with filters
in place is a matter of interpretation? Section 5 of the RFC states, "It is
strongly recommended that routers which connect enterprises to external
networks are set up with appropriate
packet and routing filters at both ends of the link in order to prevent
packet and routing information leakage."

Thanks for all your help.
Adam

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]



More information about the cisco-nsp mailing list