[45714] in North American Network Operators' Group
Re: it's here
daemon@ATHENA.MIT.EDU (Eric Brandwine)
Wed Feb 13 11:05:43 2002
To: Ron da Silva <ron@aol.net>
Cc: Sean Donelan <sean@donelan.com>, Alex Rubenstein <alex@nac.net>,
nanog@merit.edu
From: Eric Brandwine <ericb@UU.NET>
Date: 13 Feb 2002 15:55:25 +0000
In-Reply-To: Ron da Silva's message of "Wed, 13 Feb 2002 10:29:41 -0500"
Message-ID: <gu9bsetv0k2.fsf@rampart.argfrp.us.uu.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: owner-nanog-outgoing@merit.edu
>>>>> "rds" == Ron da Silva <ron@aol.net> writes:
>> >> http://www.cert.org/advisories/CA-2002-03.html
>>
sd> ASN.1 is pretty cool, but I've been wondering are there that
sd> many ISPs which allow external SNMP access to their equipment?
sd> SNMP is a UDP management protocol, and even under the best of
sd> conditions, accepting packets from out of the blue isn't a good
sd> idea.
>> Spoofed packets?
>> It's not feasible to filter antispoof at OC-12 or OC-48 line rate on
>> all customer facing interfaces.
rds> But it should be not only feasible, but standard practice.
It's impossible using most high bandwidth gear that's out there. At
these speeds, you can either route the bits, or look at them, but not
both. Juniper is the one vendor that's given us packet inspection
abilities that scale with bandwidth. We have non-Juniper routers.
Please, tell your vendors you want line-rate filtering up to layer 4.
We're tired of being told "But you're the only ones that ask for
this".
Without control plane seperation (and it's not possible with Cisco,
Juniper, or most other routers out there), management services are
listening on the public network, and that makes this very scary,
regardless of filtering policies, etc.
ericb
--
Eric Brandwine | "Intel Inside" is a Government Warning requied by Law.
UUNetwork Security |
ericb@uu.net |
+1 703 886 6038 | - Usenet
Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E
