nanog mailing list archives
Re: it's here
From: Jared Mauch <jared () puck Nether net>
Date: Wed, 13 Feb 2002 12:00:18 -0500
On Wed, Feb 13, 2002 at 08:38:03AM -0800, jerry scharf wrote:
C'mon guys. Exchange point rate anti-spoof filtering is not necessary to solve this problem.
How do you filter your peers to prevent them from spoofing your infrastructure space? Not everyone filters their custoemrs because either a) they have a large and varying set of routes (and ip sources) they may send at you b) they can't manage it or c) their routers can't filter (fast enough).
This is why there are switches (using vlans if you choose) and router interfaces. Unless you are taking an OC3's worth of management traffic, you create a net just for your management traffic, put in on an interface and hang your entire site's snmp gear off of that. If you want it to be private, GRE and 1918 addresses are your friends, and filter to allow only traffic from those nets. None of this is new or hard.
No it is not but the problem is when extracing snmp data (for billing for example) one can not always use an oob network to extract this data or a vpn solution due to port-cost, etc.. IMHO router vendors should be able to do the various types of filtering at line-rate (strict rpf, loose rpf, "any rpf", rate-limit icmp, filter based on exact config to prevent DoS or track such items). Some vendors did not consider this key functionality when they designed their routers/linecards.
Also, most everyone now supports snmpv3 security, so you can do that as well. (I just do it the old way I know how, so I haven't played much with this.)
Sure this works assuming all your pollers can support snmpv3 without any complicated problems and have resources to allocate to the various projects that collect this data. I'm sure there are a few companies these days that are having a harder time getting the money and resources to perform non-critical upgrades to these systems when the current one works just fine. - Jared -- Jared Mauch | pgp key available via finger from jared () puck nether net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Current thread:
- Re: it's here, (continued)
- Re: it's here Sean Donelan (Feb 12)
- Re: it's here Valdis . Kletnieks (Feb 12)
- Re: it's here Eric Brandwine (Feb 12)
- Re: it's here Sean Donelan (Feb 12)
- Re: it's here Jon O . (Feb 12)
- Re: it's here Ron da Silva (Feb 13)
- Re: it's here Eric Brandwine (Feb 13)
- Re: it's here jerry scharf (Feb 13)
- Re: it's here jlewis (Feb 13)
- Re: it's here William Allen Simpson (Feb 13)
- Re: it's here Jared Mauch (Feb 13)
- Re: it's here Sean Donelan (Feb 12)
- Re: it's here Jesper Skriver (Feb 13)
- Re: it's here Eric Brandwine (Feb 13)
- Re: it's here kevin graham (Feb 13)
- Re: it's here Jesper Skriver (Feb 13)
- Re: it's here Jake Khuon (Feb 13)
- Re: it's here Steve Noble (Feb 13)
- RE: it's here Tony Hain (Feb 13)
- Re: it's here Eric Brandwine (Feb 13)
- Re: it's here Christopher L. Morrow (Feb 13)
- Re: it's here Ron da Silva (Feb 13)