From: Tshon (tshon@xxxxxxxxxxx)
Date: Fri Mar 15 2002 - 14:59:09 GMT-3
I would ask one, what is you version of IOS. And also
do you see
no validate-update-source
in your config? If you notice it in your config, it is off.
This command should be on by default.
And should avoid the problem you are talking about.
Ahmed Mamoor Amimi wrote:
>interesting ... i will try this
>
>-Mamoor
>
>
>----- Original Message -----
>From: Mannan Venkatesan <mv_lab@hotmail.com>
>To: lab <ccielab@groupstudy.com>
>Sent: Friday, March 15, 2002 9:11 PM
>Subject: Fooling the router
>
>
>>Guys,
>>One of friend brought up a good question and we tested it. Here it goes,
>>
>>D1-----R1----------R2-----D2
>>
>>R1 is connected to R2 through P-t-P serial link. I used 10.1.1.1/24
>>
>address on
>
>>R1's serial interface and R2 had 20.2.2.2/24. R1 has a static route to D2
>>(desktop) with next-hop, 10.1.1.2(non exist address). R2 has a static
>>
>route to
>
>>D1 with next-hop, 20.2.2.1(non-exist address again).
>>
>>When I tried to ping D2 from D1, R1 and R2 never change the source and
>>destination address (normal behavior) and it worked with R1 and R2
>>
>directly
>
>>connected using totally different network addresses.
>>
>>Ofcourse this will not work if the routers originates any packet but they
>>don't do any check if the packet are originated from desktops. Is it kind
>>
>of a
>
>>security hole?
>>
>>Regards,
>>Mannan Venkatesan
>>CCIE # 8906, CCNP, CCDP,
>>Lucent Technologies - ESS
>>King of Prussia,
>>Pager: 888-663-3853
>>Email: mv70@lucent.com
>>Epage: page_mannan_venkatesan@ins.com
>>
>>"You can swim all day in the Sea of Knowledge and still come out
>>
>completely
>
>>dry. Most people do."
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:09 GMT-3