North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: it's here
On Wed, 13 Feb 2002, Ron da Silva wrote: > > On Tue, Feb 12, 2002 at 07:32:07PM +0000, Eric Brandwine wrote: > > > > >>>>> "sd" == Sean Donelan <[email protected]> writes: > > > > sd> On Tue, 12 Feb 2002, Alex Rubenstein wrote: > > >> http://www.cert.org/advisories/CA-2002-03.html > > > > sd> ASN.1 is pretty cool, but I've been wondering are there that > > sd> many ISPs which allow external SNMP access to their equipment? > > sd> SNMP is a UDP management protocol, and even under the best of > > sd> conditions, accepting packets from out of the blue isn't a good > > sd> idea. > > > > Spoofed packets? > > > > It's not feasible to filter antispoof at OC-12 or OC-48 line rate on > > all customer facing interfaces. > > But it should be not only feasible, but standard practice. 'Should be' is the key word here... in practical terms though this is not feasible. There are revisions of oc-12 and oc-48 cards in platforms that don't support filtering. Long term all users of internet routing hardware (or routing hardware in general) should push their vendors to implement line-rate filtering. There really is no reason NOT to do it is there? Even better would be the ability to look inside the entire packet, this way the next code-red can be stopped at a higher level in the network where people that actually care about the problem can take appropriate action. -Chris
|