On Thu, Nov 17, 2011 at 10:17 AM, harbor235 <harbor...@gmail.com> wrote: > Sure, but mirroring a port on the edge may not be the best way to go, ACL > hits and logs > dumped to syslog may be the best approach. So if your capturing traffic how > are you mitigating this traffic > with minimal impact? >
sorry, my question was: "Do you have some pcaps, I'd be interested in seeing what sort of packets you are seeing with options added to them." I've seen things like mcast/pim/etc that will do this, and RSVP, I've not seen in-the-wild packets with options being a 'problem', though in theory they can be painful :( Some vendor gear has 'no ip-options' as an option...(which is really, 'ignore ip options', I believe), some has the ability to filter based on option(s). -chris > Mike > > On Thu, Nov 17, 2011 at 10:07 AM, Christopher Morrow > <morrowc.li...@gmail.com> wrote: >> >> got pcaps? >> >> On Thu, Nov 17, 2011 at 10:04 AM, harbor235 <harbor...@gmail.com> wrote: >> > Is it just me or has there been an increase in packets with IP options >> > set >> > hitting >> > our front door? There are ways to mitigate e.g. IP options selective >> > discard, and ACL >> > IP options support. ACL entries on the edge appear to be the best >> > way identify and log the source. >> > IP options selective discard drops packets silently so from my view they >> > are not as effective. >> > >> > Is anyone doing anything else to identify and mitigate? I have been >> > seeing >> > hits on our firewalls >> > but would rather take care of it at our edge with little or no impact. >> > >> > >> > Mike >> > > >
