Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

comp.dcom.sys.cisco Frequently Asked Questions (FAQ)
Section - What can I do about source routing?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Property taxes ]


Top Document: comp.dcom.sys.cisco Frequently Asked Questions (FAQ)
Previous Document: How should I restrict access to my router?
Next Document: Is there a block of private IP addresses I can use?
See reader questions & answers on this topic! - Help others by sharing your knowledge
What *is* source routing?

Soure routing is an IP option which allows the originator of a packet
to specify what path that packet will take, and what path return packets
sent back to the originator will take. Source routing is useful when the
default route that a connection will take fails or is suboptimal for some
reason, or for network diagnostic purposes. For more information on
source routing, see RFC791.

Unfortunately, source routing is often abused by malicious users on
the Internet (and elsewhere), and used to make a machine (A), think
it is talking to a different machine (B), when it is really talking to
a third machine (C). This means that C has control over B's ip address
for some purposes.

The proper way to fix this is to configure machine A to ignore
source-routed packets where appropriate. This can be done for most
unix variants by installing a package such as Wietse Venema,
<wietse@wzv.win.tue.nl>,'s tcp_wrapper:

        ftp://cert.org:pub/tools/

For some operating systems, a kernel patch is required to make this
work correctly (notably SunOS 4.1.3). Also, there is an unofficial
kernel patch available for SunOS 4.1.3 which turns all source routing
off; I'm not sure where this is available, but I believe it was posted
to the firewalls list by Brad Powell soimetime in mid-1994.

If disabling source routing on all your clients is not posssible, a
last resort is to disable it at your router. This will make you unable
to use ``traceroute -g'' or ``telnet @hostname1:hostname2'', both
of which use LSRR (Loose Source Record Route, 2 IP options, the first
of which is a type of source routing), but may be necessary for some.
If so, you can do this with

        foo-e-0#conf t
        Enter configuration commands, one per line.  End with CNTL/Z.
        foo-e-0(config)#no ip source-route
        foo-e-0(config)#^Z

It is somewhat unfortunate that you cannot be selective about this; it
disables all forwarding of source-routed packets through the router,
for all interfaces, as well as source-routed packets to the router
(the last is unfortunate for the purposes of ``traceroute -g'').

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Top Document: comp.dcom.sys.cisco Frequently Asked Questions (FAQ)
Previous Document: How should I restrict access to my router?
Next Document: Is there a block of private IP addresses I can use?

Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
cisco-faq@panix.com (comp.dcom.sys.cisco FAQ responses)





Last Update March 27 2014 @ 02:11 PM