North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: not rewriting next-hop, pointing default, ...

  • From: Karl Denninger
  • Date: Thu Sep 11 18:59:56 1997

On Thu, Sep 11, 1997 at 03:45:22PM -0700, Ran Atkinson wrote:
> On Sep 11 15:23, Randy Bush wrote:
> } Subject: Re: not rewriting next-hop, pointing default, ...
> % I also think it may be time we refuse to peer with anyone
> % who inhibits LSR, as it seems that validation is now mandatory.
> % I think we should be sending out a "LSR is mandatory" notice
> % to our peers.  Comments?
> LSR is actually a significant security issue.  So, while I do
> understand and am sympathetic to the operational debugging
> issues that LSR addresses, I think that requiring a peer to
> enable LSR more than 2 hops inside their network from the
> outside world is unreasonable.
> In a world where SSH were available in cisco routers and/or
> IPsec were more widely deployed, I might have different views.
> However, we are where we are.
> Regards,
> Ran
> [email protected]

I'd love to be able to reasonably run with LSR enabled.

However, we then become the "bounce point" for all kinds of fun stuff,
including denial of service attacks launched against *OTHERS*.

Its off at our entrance routers for this reason.  If EVERY provider shut 
it off EXCEPT on the core (ie: it was on where only network personnel could
get to and use it) I wouldn't mind.  But with it on all the way to the end
customer circuit in many cases enabling it on your core can create some
serious security problems.

We *used* to run with it on, and shut it off for exactly this reason.  

Karl Denninger ([email protected])| MCSNet - Serving Chicagoland and Wisconsin     | T1's from $600 monthly to FULL DS-3 Service
			     | NEW! K56Flex modem support is now available
Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines!
Fax:   [+1 312 803-4929]     | 2 FULL DS-3 Internet links; 400Mbps B/W Internal