North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: it's here

  • From: Christopher L. Morrow
  • Date: Wed Feb 13 11:12:43 2002

On Wed, 13 Feb 2002, Ron da Silva wrote:

> On Tue, Feb 12, 2002 at 07:32:07PM +0000, Eric Brandwine wrote:
> >
> > >>>>> "sd" == Sean Donelan <[email protected]> writes:
> >
> > sd> On Tue, 12 Feb 2002, Alex Rubenstein wrote:
> > >>
> >
> > sd> ASN.1 is pretty cool, but I've been wondering are there that
> > sd> many ISPs which allow external SNMP access to their equipment?
> > sd> SNMP is a UDP management protocol, and even under the best of
> > sd> conditions, accepting packets from out of the blue isn't a good
> > sd> idea.
> >
> > Spoofed packets?
> >
> > It's not feasible to filter antispoof at OC-12 or OC-48 line rate on
> > all customer facing interfaces.
> But it should be not only feasible, but standard practice.

'Should be' is the key word here... in practical terms though this is not
feasible. There are revisions of oc-12 and oc-48 cards in platforms that
don't support filtering.

Long term all users of internet routing hardware (or routing hardware in
general) should push their vendors to implement line-rate filtering. There
really is no reason NOT to do it is there? Even better would be the
ability to look inside the entire packet, this way the next code-red can
be stopped at a higher level in the network where people that actually
care about the problem can take appropriate action.