Recently in this list, I posted a pair of questions regarding the
filtering capabilities of Ascend's Pipeline 50 router. My questions
dealt with how a P50 could be made to recognize and drop source-routed
Several of you, including two Ascend employees, were kind enough
to respond, both in the list and privately. As is often the case,
some answers were partial, while others posed seeming contradictions.
No one was actually wrong about anything, but no one seemed to have
the whole story, all in one place.
In subsequent exchanges with the respondents, I've made an attempt
to resolve the competing claims and to come up with a coherent
picture of what the P50 actually does. The following is a summary
of what I've found. Any residual misstatements, confusions and so
on are my fault.
* * *
Source-routed packets and the Ascend P50
At this time, all Ascend routers drop all packets with Strict Source
Routing enabled. The routers, including the Pipeline 50, detect
the presence of this option in their IP-recognition layer, before
handing off the packet in question to the filtering rules. Any
packet with strict source routing turned on is dropped before any
rule has a chance to look at it. Hence, any static rule aimed at
identifying strict-source-routed packets is unnecessary.
Several people informed me that this was the case for the P50.
More specifically, several people said the P50 dropped "source
routed" packets by default. However, no one distinguished between
strict source routing and loose source routing. Quite frankly, I
still don't know what happens to packets having the Loose Source
Routing option turned on.
There is no mention of source routing at all in any of my P50
documentation. As I mentioned in my originally posted query, my
calls to Ascend's formal tech support staff weren't all that
enlightening. Out-of-band conversations with helpful Ascend guys
worked a lot better. Regrettably, though, authoritative documentation
on this subject is hard to come by, even within Ascend.
The short version is that P50 owners may or may not be protected
automatically from attacks based on Loose Source Routing. I just
don't know. Those of you who today believe in your site's safety,
based partly on your presumed immunity from such attacks, might
want to run a few tests and pester Ascend to document this behavior
is some credible and accessible manner.
To be fair, Ascend's design choice -- kill before filtering -- is
a reasonable one. By definition, Ascend's static filtering rules
are ill equipped to deal sensibly with variable-length option data.
Source-routing options can, in practice, show up at differing
offsets in the packets, whereas an Ascend-style "generic" filter
can look only at fixed locations.
Hence, static filters are, in the P50, a bad choice for screening
source-routed packets. With "generic" filters, you might catch
some naively constructed packets of interest, but there are no
guarantees. In order to deal correctly with all option-placement
possibilities, you must have a packet handler that understands the
underlying IP layout, which generic filters plainly do not.
That's the bad news. The good news is that Ascend has recognized
the need for this capability.
Ascend Communications has unveiled an add-on security utility for
some of their routers, including the Pipeline family, to be called
Ascend Secure Access. Secure Access is supposed to be smart about
IP options and should, at least in this instance, give me what I
was looking for in the first place. (It also does a lot more,
including dynamic reconfiguration of filtering, that looks handy.
This is not an advertisement. I don't own Ascend stock. I'm just
a P50 owner, telling you what I found when I went looking.)
Those of you who tend to lie awake at night, worrying about your
P50's filtering rules, might want to have a look at this enhancement.
I have no idea what Ascend is going to charge for it. If any of you
come up with a dollar figure, please post it back to this list or
drop me a note. Again, this is not an ad for Ascend, but, in the
interests of convenience, here are the relevant contact points, for
those of you who are interested:
Tel: +1 (510) 769-6001
Fax: +1 (510) 814-2300
Fax server: +1 (415) 688-4343
Special thanks to Messrs. Brennen, Edguer, Henits and Wong. If
anything I've said here is wrong, please let me know -- I'll correct
my errors in the mailing list. A lot of P50 owners are apparently
relying on hearsay for ruleset construction (and lack thereof).
This is definitely a case of ignorance not being bliss.
Frank McCormick <gfm @