nanog mailing list archives
Re: it's here
From: "Christopher L. Morrow" <chris () UU NET>
Date: Wed, 13 Feb 2002 16:06:23 +0000 (GMT)
On Wed, 13 Feb 2002, Ron da Silva wrote:
On Tue, Feb 12, 2002 at 07:32:07PM +0000, Eric Brandwine wrote:"sd" == Sean Donelan <sean () donelan com> writes:sd> On Tue, 12 Feb 2002, Alex Rubenstein wrote:http://www.cert.org/advisories/CA-2002-03.htmlsd> ASN.1 is pretty cool, but I've been wondering are there that sd> many ISPs which allow external SNMP access to their equipment? sd> SNMP is a UDP management protocol, and even under the best of sd> conditions, accepting packets from out of the blue isn't a good sd> idea. Spoofed packets? It's not feasible to filter antispoof at OC-12 or OC-48 line rate on all customer facing interfaces.But it should be not only feasible, but standard practice.
'Should be' is the key word here... in practical terms though this is not feasible. There are revisions of oc-12 and oc-48 cards in platforms that don't support filtering. Long term all users of internet routing hardware (or routing hardware in general) should push their vendors to implement line-rate filtering. There really is no reason NOT to do it is there? Even better would be the ability to look inside the entire packet, this way the next code-red can be stopped at a higher level in the network where people that actually care about the problem can take appropriate action. -Chris
Current thread:
- Re: it's here, (continued)
- Re: it's here William Allen Simpson (Feb 13)
- Re: it's here Jared Mauch (Feb 13)
- Re: it's here Jesper Skriver (Feb 13)
- Re: it's here Eric Brandwine (Feb 13)
- Re: it's here kevin graham (Feb 13)
- Re: it's here Jesper Skriver (Feb 13)
- Re: it's here Jake Khuon (Feb 13)
- Re: it's here Steve Noble (Feb 13)
- RE: it's here Tony Hain (Feb 13)
- Re: it's here Eric Brandwine (Feb 13)
- Re: it's here Christopher L. Morrow (Feb 13)
- Re: it's here Ron da Silva (Feb 13)
- Re: it's here Stephen Sprunk (Feb 14)
- RE: it's here Deepak Jain (Feb 14)