[45699] in North American Network Operators' Group
Re: it's here
daemon@ATHENA.MIT.EDU (Sean Donelan)
Tue Feb 12 15:17:10 2002
Date: Tue, 12 Feb 2002 15:16:08 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: Eric Brandwine <ericb@UU.NET>
Cc: Alex Rubenstein <alex@nac.net>, <nanog@merit.edu>
In-Reply-To: <gu9y9hyo5s8.fsf@rampart.argfrp.us.uu.net>
Message-ID: <Pine.GSO.4.40.0202121505370.8290-100000@clifden.donelan.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On 12 Feb 2002, Eric Brandwine wrote:
> sd> SNMP is a UDP management protocol, and even under the best of
> sd> conditions, accepting packets from out of the blue isn't a good
> sd> idea.
>
> Spoofed packets?
>
> It's not feasible to filter antispoof at OC-12 or OC-48 line rate on
> all customer facing interfaces.
I can remember many cases when my HP Openview network discovery process
would attempt to map the entire Internet because it strayed into a
peers network. So it may fairly common.
At least one provider has told me they don't use in-band management for
their network infrastructure. They have a completely seperate frame
network connecting to POP management LANs which in turn is connected to
seperate management ports on the equipment. I don't know how common this
is among large providers.
I had a smaller network, so I filtered the IP block used for my management
LAN from all external sources (and "logged" the ACL's so I picked up the
stray packets from places I missed). A "real" packet should never
be sourced from outside my network topology, so even if you spoofed the
IP address the topology would block it. Of course, this depended on
topological integrity. I can understand if larger providers why large
can't do that, it doesn't scale.
But there are a lot of small and medium providers that can do it.
I agree, its a glass house issue. I was just wondering how bad of an
issue it really is.
