RE: routing between provider edge and CPE routers

["Mike Bernico" <mbernico () illinois net>]

> So, by accepting routes from CPE you create a huge security
vulnerability
> for your customers, and other parties.  This practice was understood
as a
> very bad network engineering for decades.

Is there someplace I can find tidbits of information like this?  I
haven't been alive decades so I must have missed that memo.  Other than
this list I don't know where to find anyone with lots of experience
working for a service provider.


> 1) for single-homed sites use static routing, period.  Dynamic routing
> does not add anything useful in this case (if circuit is down, it's
down,
> there are no alternative ways to reach the customer's network).

I agree, and all the feedback I've gotten should help me convince my
peers.

> The "convinience" of having to configure only CPE box is no excuse.
Invest
> some resources in a rather trivial configuration management system,
which
> keeps track of what network addresses were allocated to which
customer,
> and produces corresponding bits of router configuration automatically.
> Most respectable ISPs did that long time ago.  That will also reduce
your
> tech support costs.

I've never heard of software like that.  Do you have a recommended
vendor?  Is it typically developed in house?



> PS. They should really require a test in "defensive networking" before
>    letting anyone to touch provider's routers...

What can I say, I must work cheap!