nanog mailing list archives

Re: it's here

From: Jared Mauch <jared () puck Nether net>
Date: Wed, 13 Feb 2002 12:00:18 -0500


On Wed, Feb 13, 2002 at 08:38:03AM -0800, jerry scharf wrote:

C'mon guys. Exchange point rate anti-spoof filtering is not necessary to 
solve this problem.


        How do you filter your peers to prevent them from spoofing your
infrastructure space?  Not everyone filters their
custoemrs because either a) they have a large and varying set of
routes (and ip sources) they may send at you b) they can't manage
it or c) their routers can't filter (fast enough).

This is why there are switches (using vlans if you choose) and router 
interfaces. Unless you are taking an OC3's worth of management traffic, you 
create a net just for your management traffic, put in on an interface and 
hang your entire site's snmp gear off of that. If you want it to be 
private, GRE and 1918 addresses are your friends, and filter to allow only 
traffic from those nets. None of this is new or hard.


        No it is not but the problem is when extracing snmp data
(for billing for example) one can not always use an oob network
to extract this data or a vpn solution due to port-cost, etc..

        IMHO router vendors should be able to do the various types
of filtering at line-rate (strict rpf, loose rpf, "any rpf", 
rate-limit icmp, filter based on exact config to prevent DoS or track
such items).

        Some vendors did not consider this key functionality when
they designed their routers/linecards.

Also, most everyone now supports snmpv3 security, so you can do that as 
well. (I just do it the old way I know how, so I haven't played much with 
this.)


        Sure this works assuming all your pollers can support snmpv3
without any complicated problems and have resources to allocate to the
various projects that collect this data.  I'm sure there are a few
companies these days that are having a harder time getting the money
and resources to perform non-critical upgrades to these systems when
the current one works just fine.

        - Jared
-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

Current thread:

Re: it's here, (continued)
- Re: it's here Sean Donelan (Feb 12)
  - Re: it's here Valdis . Kletnieks (Feb 12)
  - Re: it's here Eric Brandwine (Feb 12)
    - Re: it's here Sean Donelan (Feb 12)
    - Re: it's here Jon O . (Feb 12)
    - Re: it's here Ron da Silva (Feb 13)
    - Re: it's here Eric Brandwine (Feb 13)
    - Re: it's here jerry scharf (Feb 13)
    - Re: it's here jlewis (Feb 13)
    - Re: it's here William Allen Simpson (Feb 13)
    - Re: it's here Jared Mauch (Feb 13)
    - Re: it's here Jesper Skriver (Feb 13)
    - Re: it's here Eric Brandwine (Feb 13)
    - Re: it's here kevin graham (Feb 13)
    - Re: it's here Jesper Skriver (Feb 13)
    - Re: it's here Jake Khuon (Feb 13)
    - Re: it's here Steve Noble (Feb 13)
    - RE: it's here Tony Hain (Feb 13)
    - Re: it's here Eric Brandwine (Feb 13)
    - Re: it's here Christopher L. Morrow (Feb 13)
    - Re: it's here Ron da Silva (Feb 13)

(Thread continues...)