North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Telco's write best practices for packet switching networks

  • From: Sean Donelan
  • Date: Mon Mar 11 04:55:36 2002

On Fri, 8 Mar 2002, Vadim Antonov wrote:
> So, i would say i'm pro-OOB where it concerns clean confinement of control
> traffic into a non-routable, unconditionally-prioritized frames, and
> contra-OOB when it comes to making separate networks for control traffic.
> Your definition of "separate network" may vary :)

Of course, like many things security looks easy until you have
to do it yourself.  So I don't mean to suggest there are any
really any easy answers.

But I've been wondering about simple structural changes which would
improve the intrinsic security of the net.  For example, remember when
BARRNET had the problem with people stealing passwords on their backbone.
One simple change was removing general purpose computers which could
be used as sniffers from their core router LANs.

My simple question is why do exchange point prefixes or backbone
network prefixes need to be announced to peers or customers?  If no
one announced IXP prefixes, it would be more difficult (modulo
LSSR/SSSR) to send bogus packets at distant routing gateways.  The
attacker would need to be directly connected, or compromise something.

This has been something which has bugged me ever since I connected
a router to mae-east.  There is no "true" ASN for inter-provider
network prefixes, yet the prefixes show up in the BGP tables via multiple
providers.  Private inter-ISP links aren't any better.  They are
frequently taken from some provider's internal space, and announced
by a combination of providers.

This isn't really OOB, but similar to your idea of not using a
globally routable network to exchange routing information.  Its
not as difficult as making a 127/8 kludge.  Its a small matter
of not announcing prefixes used for BGP to your BGP peers (next-hop-self).