North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: not rewriting next-hop, pointing default, ...
On Thu, Sep 11, 1997 at 03:45:22PM -0700, Ran Atkinson wrote: > On Sep 11 15:23, Randy Bush wrote: > } Subject: Re: not rewriting next-hop, pointing default, ... > > % I also think it may be time we refuse to peer with anyone > % who inhibits LSR, as it seems that validation is now mandatory. > % I think we should be sending out a "LSR is mandatory" notice > % to our peers. Comments? > > LSR is actually a significant security issue. So, while I do > understand and am sympathetic to the operational debugging > issues that LSR addresses, I think that requiring a peer to > enable LSR more than 2 hops inside their network from the > outside world is unreasonable. > > In a world where SSH were available in cisco routers and/or > IPsec were more widely deployed, I might have different views. > However, we are where we are. > > Regards, > > Ran > [email protected] I'd love to be able to reasonably run with LSR enabled. However, we then become the "bounce point" for all kinds of fun stuff, including denial of service attacks launched against *OTHERS*. Its off at our entrance routers for this reason. If EVERY provider shut it off EXCEPT on the core (ie: it was on where only network personnel could get to and use it) I wouldn't mind. But with it on all the way to the end customer circuit in many cases enabling it on your core can create some serious security problems. We *used* to run with it on, and shut it off for exactly this reason. -- -- Karl Denninger ([email protected])| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex modem support is now available Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines! Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal