> It is good option, some routers really do it. Unfortunately, it is
> very expenisive but still not 100% reliable solution -- do not forget
> about fragmentation.
Is it that expensive? In most cases, we won't use IPIP-in-IPIP, so a simple check on the protocol type of the encapsulated packet will suffice. When an IPIP packet is to be encapsulated, it's just necessary to check the source address of each IP header isn't a local address.
If we drop a packet because it's looped, it's reasonable to stop sending all packets to that destination. So when we detect the first looped packet for a destination, we could generate an icmp host/net unreachable and stop sending _any_ packets to that host/net, so then we won't try sending the fragments. We could put a timeout on that, so if a loop is detected, it'll wait a minute or two before trying to send there again.
There wouldn't be many cases that fall through this check, would there?
-- David Woodhouse, CB3 9AN http://dwmw2.robinson.cam.ac.uk/ dwmw2@cam.ac.uk Tel: 0976 658355 D.W.Woodhouse@nortel.co.uk Tel: 01279 402332