nanog mailing list archives
Re: it's here
From: Sean Donelan <sean () donelan com>
Date: Tue, 12 Feb 2002 15:16:08 -0500 (EST)
On 12 Feb 2002, Eric Brandwine wrote:
sd> SNMP is a UDP management protocol, and even under the best of sd> conditions, accepting packets from out of the blue isn't a good sd> idea. Spoofed packets? It's not feasible to filter antispoof at OC-12 or OC-48 line rate on all customer facing interfaces.
I can remember many cases when my HP Openview network discovery process would attempt to map the entire Internet because it strayed into a peers network. So it may fairly common. At least one provider has told me they don't use in-band management for their network infrastructure. They have a completely seperate frame network connecting to POP management LANs which in turn is connected to seperate management ports on the equipment. I don't know how common this is among large providers. I had a smaller network, so I filtered the IP block used for my management LAN from all external sources (and "logged" the ACL's so I picked up the stray packets from places I missed). A "real" packet should never be sourced from outside my network topology, so even if you spoofed the IP address the topology would block it. Of course, this depended on topological integrity. I can understand if larger providers why large can't do that, it doesn't scale. But there are a lot of small and medium providers that can do it. I agree, its a glass house issue. I was just wondering how bad of an issue it really is.
Current thread:
- it's here Alex Rubenstein (Feb 12)
- Re: it's here Sean Donelan (Feb 12)
- Re: it's here Valdis . Kletnieks (Feb 12)
- Re: it's here Eric Brandwine (Feb 12)
- Re: it's here Sean Donelan (Feb 12)
- Re: it's here Jon O . (Feb 12)
- Re: it's here Ron da Silva (Feb 13)
- Re: it's here Eric Brandwine (Feb 13)
- Re: it's here jerry scharf (Feb 13)
- Re: it's here jlewis (Feb 13)
- Re: it's here William Allen Simpson (Feb 13)
- Re: it's here Jared Mauch (Feb 13)
- Re: it's here Sean Donelan (Feb 12)
- Re: it's here Jesper Skriver (Feb 13)
- Re: it's here Eric Brandwine (Feb 13)
- Re: it's here kevin graham (Feb 13)