cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
136000
Views
101
Helpful
10
Replies

no ip source-route question

ravillal
Level 1
Level 1

Hi,

I was reading about the

ip source-route command and that it should only be used with CEF. Quick question, if I use the

no ip source-route, will that affect my policy routing that I'm applying with my Route Map????

Thanks

10 Replies 10

Richard Burts
Hall of Fame
Hall of Fame

I wonder what you were reading that seems to suggest a relationship of cef with ip source-route. I do not remember reading anything that suggests any relationship.

Almost all routers that I configure for customers include the no ip source-route command. It is very rare to find any situation where that functionality is needed and the security implications of it are negative.

I have configured policy routing on a number of customer routers and have never had the no ip source-route command have any effect on it.

HTH

Rick

HTH

Rick

Kevin Dorrell
Level 10
Level 10

ip source-route is a completely different thing to policy routing.

Policy routing allows you to route according to various parameters, not just destination IP address. It is often used for routing by IP source address.

IP source-route is a little-used option that allows the originator of a packet to decide which routers he should go through to get to his destination. He does this by supplying the full path of routers on the options header of the IP packet.

IP source routing is extremely dangerous, and most NetAdmins disable it in live networks.

Hope this helps.

Kevin Dorrell

Luxembourg

Kevin Dorrell
Level 10
Level 10

I think ip source-route and policy routing very often get confused, but they are two very distinct things.

Policy routing is a way of specifying routes to depend on various parameters, including perhaps the source IP address of a packet. It is a local policy applied at a router.

ip source-route is something entirely different. It is a feature where the originator of an IP packet specifies, in that packet, which routers the packet must go through to reach its destination. The path is tagged onto the options field of the IP packet. The feature is very dangerous, and most NetAdmins disable it.

I think the confusion comes about because of the words "source" and "route".

Kevin Dorrell

Luxembourg

Hello Kevin, 

please can you tell me why this feature is very dangerous.....


ip source-route

Jain,

When you route by the source address,your gateway or first router will place a header that tells every router along the way which route to take, if a route goes down, the original router may not know the route went down, and continue sending traffic into a black hole.

but when source-route get down in this case why original router may not know that the route went down...

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

The concern of source routing is it overrides "natural" routing.

As security rules often expect packets to route as "expected" , but source routing might defeat such rules by routing in "unexpected" ways.  For example, you might be able to route around a device with security rules, or enter a security device, via a link, that's doesn't have the same rules.

Additionally, as topology bandwidths are generally built for expected load levels, source routing can disrupt them too.

As example of the latter - suppose you have a T1 p2p link between sites, and an ISDN backup.  By "design" the ISDN link should only route traffic while/if the T1 link goes down.  However, someone clever notices that often the T1 is congested and they can obtain better performance by using the ISDN link while the T1 is still up.  This might be accomplished by using source routing to direct the packet to use the ISDN hop.

"ip source-route" does NOT mean that you are routing by the source address. The clue is in the name "source-route" as per earlier comments (13 YEARS AGO) means that the routing is determined by the source DEVICE i.e. the sender of the packet. It has nothing to do with the IP address of the sender. The sender determines what route the packet should take (can be based on anything - automatically discovered or prescribed) and then compiles the list of intermediate routers that the packet must go through to get to the destination. The list is then inserted into the IP packet (in the header) and since each router sees that the route has already been determined by the sender it then honours (as best it can) the routing by forwarding the packet to the next router on the list. It is dangerous because hackers can use it to circumvent security policies if they know that diverse routes exist. Source-routing deviates from the destination-based routing paradigm. Token-Ring networks from years back made heavy use of source-routing (at the MAC layer)

The explanation is reasonable. I just wonder why it is necessary to configure "no ip source-route" in the router (i.e. ASR903). Wouldn`t it be better to have it disabled by default and just enable it if required?

Perhaps, and over the years Cisco has changed some default settings to conform with security recommendations. I.e. it might still eventually happen.

As to why Cisco might not have already done so, this feature is, I believe, is a part of the standards for IP. So if you disable it, by default, you're overriding IP standards.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: