cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
42159
Views
55
Helpful
7
Replies
Highlighted
Beginner

What is IP source Route ?

Please let me know what is IP source Route and why is it disable for security purpose.

Thanks in advance

7 REPLIES 7
Highlighted
Enthusiast

It's information in an IP header that allows the source host to dictate the path the packet uses to get to the destination rather than leaving the path to be determined by intermediate gateways.  This could allow a source to go around security devices that are typically in the path between source and destination. 

Highlighted

Thanks for your reply

Highlighted
Cisco Employee

Hello Nitin,

Cisco routers normally accept and process source routes. Unless a network depends on it, source routing should be disabled.

Source routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. As a packet travels through the network, each router will examine the destination IP address and choose the next hop to forward the packet to. In source routing, the "source" (i.e., the sender) makes some or all of these decisions.

 

Reason for disabling: Attackers can use source routing to probe the network by forcing packets into specific parts of the network. Using source routing, an attacker can collect information about a network's topology, or other information that could be useful in performing an attack. During an attack, an attacker could use source routing to direct packets to bypass existing security restrictions.

Remedy:

Use the 'no ip source-route' command to disable IP source routing on the router. Refer to your router documentation for specific instructions.

 

 

Regards,

Mohit 

Highlighted

Thanks Mohit..For explaining this topic in such a good way. :-)

Highlighted

Very informative response!

Highlighted

How to do this on C1000-24T-4G-L, Version 15.2(7r)E? There is no "no ip source-route" option...

Greetings in advance..

Highlighted

I was not aware that the ip source-route command was not available in the C1000. But if it is not then I am not very surprised. source-route is an issue from MANY years ago. It has been disabled by default for a long time. Looks like Cisco has eliminated a command that is not relevant to our networking environment. My advice is to not worry about how to implement it.

HTH

Rick