North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: What Worked - What Didn't

  • From: Jeff Aitken
  • Date: Mon Sep 17 18:25:17 2001

On Mon, Sep 17, 2001 at 02:32:56PM -0700, Roeland Meyer wrote:
> Why, IGP shouldn't even be visible from outside the border, neh? Internal
> issues are, internal issues. If it leaks, plug the leak.

Randy said _think_ about it.  Does your IGP run over IP?  Might
that be a vector?  Might your customers have the ability to do
things that non-customers cannot?  Does your architecture require
you to mark all customer-facing interfaces as "passive"?  Do you
verify regularly that you don't have a misconfiguration in this
area?  Are you vulnerable to arp games at your point of customer-attach?
Do you have SNMP access to your routers carefully filtered?  Are
you running multicast?  Are there bugs that affect only multicast
routing?  Are you running code that is vulnerable to those bugs?
I'm sure there are other avenues of attack, but these are just a
few that we've considered here.

If I can compromise your IGP I have a very good chance of being
able to melt down your entire network, or at least large portions
of it, almost at will.  In large networks, IGPs tend to go absolutely
haywire when they fail and the resulting implosion often obliterates
most traces of the event that started it -- at the very least, one
has to sift through mountains of log data to find the beginning of
the end.  Having been through this once, and working with folks
who went through it elsewhere on even larger networks, I assure
you that recovery time from such an event can stretch from several
hours to a few days.