[45713] in North American Network Operators' Group
Re: it's here
daemon@ATHENA.MIT.EDU (Ron da Silva)
Wed Feb 13 10:35:20 2002
Date: Wed, 13 Feb 2002 10:29:41 -0500
From: Ron da Silva <ron@aol.net>
To: Eric Brandwine <ericb@UU.NET>
Cc: Sean Donelan <sean@donelan.com>, Alex Rubenstein <alex@nac.net>,
nanog@merit.edu
Message-ID: <20020213102941.C4664@aol.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <gu9y9hyo5s8.fsf@rampart.argfrp.us.uu.net>; from ericb@UU.NET on Tue, Feb 12, 2002 at 07:32:07PM +0000
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, Feb 12, 2002 at 07:32:07PM +0000, Eric Brandwine wrote:
>
> >>>>> "sd" == Sean Donelan <sean@donelan.com> writes:
>
> sd> On Tue, 12 Feb 2002, Alex Rubenstein wrote:
> >> http://www.cert.org/advisories/CA-2002-03.html
>
> sd> ASN.1 is pretty cool, but I've been wondering are there that
> sd> many ISPs which allow external SNMP access to their equipment?
> sd> SNMP is a UDP management protocol, and even under the best of
> sd> conditions, accepting packets from out of the blue isn't a good
> sd> idea.
>
> Spoofed packets?
>
> It's not feasible to filter antispoof at OC-12 or OC-48 line rate on
> all customer facing interfaces.
But it should be not only feasible, but standard practice.
-ron
