Chapter 8

Section 8.5

Source routing is less and less useful, for two reasons. The first is that the maximum number of slots available in the IP header, nine, is getting less with respect to the diameter of the Internet. The second is that, since source routing can be used to force packets to go via a router that may be more trusted than the normal route, it can be used as a basis of various attacks. Therefore many routers these days are configured to block such packets -- Barry Margolin²⁹writes: ``My guess is that at least 25% of the Internet is inaccessible to source-routed packets''.

However, Vernon Schryver writes³⁰

Note: the supposed security problems of source routing have been grossly exaggerated by ignorant trade rag espurts needing something to write about. They've done more harm than good.

The few applications that still use the IP source address for authentication and authorization should use the setsockopt() to turn off any source route that arrived with the SYN. Applications that use real authentication and authorization don't care.

The evils of IP source routes are similar to the evils of raw IP sockets in Windows XP that are going to lead to the end of the Internet realsoonnow. Both can be misused, but both are quite valuable (e.g. `traceroute -g`) and sane defenses against their misuses don't involve outlawing them.