On Sat, Mar 25, 2000 at 12:03:45AM +0000, Brad Whitehead wrote:
> Hi,
> What is the state of support for source routing in linux?
> My situation is this: I have two available routes out to the internet. The
> branch occurs after several hops. eg. Packets travel the same route for
> hops 1, 2 and 3, but then can be routed either through router 4 or 5. I
> dont have permission (access) to change the routing tables on any of these
> routers. I would like to be able to choose between router 4 or 5
> on-the-fly. eg. if router 4 goes down, then I would like to be able to
> switch the route to use router 5. The only way I could think of doing this
> is a loose source-route to router 5. I looked for several hours trying to
> find out how this could be done, with no luck, is this not supported in
> linux yet?
Source routing has been in the kernel for a long long time. There
use to be configuration option to suppress or prohibit source routing
(since it is a security hole) but that option disappeared many revs back.
I just glanced at net/ipv4/ipoptions.c and the code for IPOPT_SSRR (strict
source routing) and IPOPT_LSRR (loose source routing) are still there.
I don't know how they are enabled and disabled at this time. I would guess
maybe a proc or sysctl interface much like forwarding became.
That being said... The chances of you getting source routing to
work over a significant path in the net are extremely slim. You say you
don't have control over the routers which determine which route to take.
Chance are very good that one or more routers along that path are going
to prohibit source routing. Many routers, concentrators, and terminal
servers are now dropping all source routed packets as their default (or
possibly only) configuration. Manufactures and ISPs have come to recognize
the security risk present in unrestrained source routing and have stopped
supporting it. You may get source routing to work in Linux only to
discover that you still can't get it to work on the net.
The reason I know about this is that I'm the Senior Researcher
and Fellow at Internet Security Systems on the X-Force. One test that
we have in one of our products is a test for source routing bypassing
a firewall (clue alert - guess where the security hole is). I've had
source routing working in a test lab to demonstrate the test, both
positive and negative. This was many kernel revs back, but I was able
to use a "source route enabled" version of telnet on Linux to validate
when we had source routing enabled on another Linux box and when we had
it disabled. Linux is one of the few system, at the time, that made it
relatively easy to enable it and disable it.
In the lab is one thing. I have yet to ever see it work past an
outside ISP. Everything, and I do mean absolutely everything, in the path
from your source to your finally destination must permit source routing
options. If even one router or one dialing server blocks it, it won't
work at all. Even if they are not specifically called out as a host on
the loose source route, they can still block the packet with the source
route option, and many already do.
> The reason I'm posting this to the kernel dev list is; if source routing is
> simply not supported yet, I will write support for it, but want to make
> sure I'm not just duplicating someone elses work. I have done some network
> programming before, but never anything with the linux kernel. Is support
> for source routing something that should be coded into the kernel or a
> user-space app?
> I would like to see implementation of this be as flexible as possible, so
> others can use it too :) A simple user-space app to pass requests to
> modify a source-routing table is the simplest solution I have thought of.
> Should the kernel side be an independant module? Or should source-route
> support be a direct part of ipv4?
Source routing is supported but what it sounds like is that you
want to set up a source routing table in the kernel to source route
packets even if the app has not set the source route option on the socket.
This would be a bad thing. Even if you could get it to work, what would
you do if the application DID set the source route option. This has
always been left up to the application to enable and specify on a socket
by socket basis.
> If anyone has any further ideas (or hints!) please let me know
Hints... Yes... Look elsewhere for your solution.
> Thanks,
> Brad.
Mike
-- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Mar 31 2000 - 21:00:15 EST