Full Disclosure mailing list archives
cisco
From: hobbit () avian org (*Hobbit*)
Date: Wed, 16 Jul 2003 20:45:13 +0000 (GMT)
workaround would be to firewall the router's own IP address(es). This would still allow the router to perform its routing function for other IPs Y'mean this *still* isn't done as standard best practice? *sigh* ... well, perhaps not, because of speed considerations, real or perceived, from slapping an ACL on an interface. Can't accept a minor slowdown in the interest of security, now can we? In the interest of addressing this in an efficient manner, particularly if anyone from cisco is listening, how 'bout this: Implement some way for an interface processor to recognize a small set of source or destination addresses, i.e. the router's own set, and push packets involving them up to process-switched level where a special ACL handles all the "to/from ME" traffic. Perhaps define a new interface type to hang it on, but do retain a notion of which interface a packet came from during processing. Is there some other minimal-impact workaround these days? I'm pretty out of touch with cisco "sales engineer" pablum lately. _H* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- cisco *Hobbit* (Jul 16)
- Re: cisco Carl Livitt (Jul 17)