Re: Limits of stealthing

[George Jones <gmj@pobox.com>]

> Todd MacDermid <tmacd@synacklabs.net> writes:
>
> > IMO, in an ideal world, all management traffic would take place out
> > of band. That includes routing table data, active management, SNMP
> > traps out, everything. The box, to an in-bound perspective, would simply
> > be a bump in the wire, decrementing TTLs, and silently dropping packets
> > if they got to zero. (Well, maybe send something back to home base
> > to look for the routing loop).
>
> On the current Internet, the necessity of IP options processing
> prevents this.  IP options require far more complex processing, and
> most routers can handle packets with IP options only at a very limited
> rate.  At least one vendor offers to turn of IP option processing
> (forwarding the packets simply as if they weren't there), but it
> breaks some protocols (RSVP? IIRC something in the QoS land), and,
> more important, existing peering contacts---many of them require that
> you honour source routing information.

The goal here is to make the core invisible and thus not attackable.
It's admitedly one of the areas where the document reaches the
furthest beyond current practice. I've asked Todd to work on this/try
to break this down.   It may wind up that we can't do it.   At the
very least, I'd like to come out of this with a list of things
that would have to change/what would break:

 - Options processing
 - Peering contracts (non techncal)
 - Others ?

>
> (Sorry if this is already addressed in the draft, I haven't found the
> time to read it carefully yet.)

Sorry the draft is so long.  It's covering a lot of ground.

---George