North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: it's here

  • From: Jared Mauch
  • Date: Wed Feb 13 12:08:04 2002

On Wed, Feb 13, 2002 at 08:38:03AM -0800, jerry scharf wrote:
> C'mon guys. Exchange point rate anti-spoof filtering is not necessary to 
> solve this problem.

	How do you filter your peers to prevent them from spoofing your
infrastructure space?  Not everyone filters their
custoemrs because either a) they have a large and varying set of
routes (and ip sources) they may send at you b) they can't manage
it or c) their routers can't filter (fast enough).

> This is why there are switches (using vlans if you choose) and router 
> interfaces. Unless you are taking an OC3's worth of management traffic, you 
> create a net just for your management traffic, put in on an interface and 
> hang your entire site's snmp gear off of that. If you want it to be 
> private, GRE and 1918 addresses are your friends, and filter to allow only 
> traffic from those nets. None of this is new or hard.

	No it is not but the problem is when extracing snmp data
(for billing for example) one can not always use an oob network
to extract this data or a vpn solution due to port-cost, etc..

	IMHO router vendors should be able to do the various types
of filtering at line-rate (strict rpf, loose rpf, "any rpf", 
rate-limit icmp, filter based on exact config to prevent DoS or track
such items).

	Some vendors did not consider this key functionality when
they designed their routers/linecards.

> Also, most everyone now supports snmpv3 security, so you can do that as 
> well. (I just do it the old way I know how, so I haven't played much with 
> this.)

	Sure this works assuming all your pollers can support snmpv3
without any complicated problems and have resources to allocate to the
various projects that collect this data.  I'm sure there are a few
companies these days that are having a harder time getting the money
and resources to perform non-critical upgrades to these systems when
the current one works just fine.

	- Jared
-- 
Jared Mauch  | pgp key available via finger from [email protected]
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.