[45715] in North American Network Operators' Group
Re: it's here
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Wed Feb 13 11:10:33 2002
Date: Wed, 13 Feb 2002 16:06:23 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Ron da Silva <ron@aol.net>
Cc: Eric Brandwine <ericb@UU.NET>, Sean Donelan <sean@donelan.com>,
Alex Rubenstein <alex@nac.net>, <nanog@merit.edu>
In-Reply-To: <20020213102941.C4664@aol.net>
Message-ID: <Pine.GSO.4.33.0202131602130.3098-100000@rampart.argfrp.us.uu.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 13 Feb 2002, Ron da Silva wrote:
>
> On Tue, Feb 12, 2002 at 07:32:07PM +0000, Eric Brandwine wrote:
> >
> > >>>>> "sd" == Sean Donelan <sean@donelan.com> writes:
> >
> > sd> On Tue, 12 Feb 2002, Alex Rubenstein wrote:
> > >> http://www.cert.org/advisories/CA-2002-03.html
> >
> > sd> ASN.1 is pretty cool, but I've been wondering are there that
> > sd> many ISPs which allow external SNMP access to their equipment?
> > sd> SNMP is a UDP management protocol, and even under the best of
> > sd> conditions, accepting packets from out of the blue isn't a good
> > sd> idea.
> >
> > Spoofed packets?
> >
> > It's not feasible to filter antispoof at OC-12 or OC-48 line rate on
> > all customer facing interfaces.
>
> But it should be not only feasible, but standard practice.
'Should be' is the key word here... in practical terms though this is not
feasible. There are revisions of oc-12 and oc-48 cards in platforms that
don't support filtering.
Long term all users of internet routing hardware (or routing hardware in
general) should push their vendors to implement line-rate filtering. There
really is no reason NOT to do it is there? Even better would be the
ability to look inside the entire packet, this way the next code-red can
be stopped at a higher level in the network where people that actually
care about the problem can take appropriate action.
-Chris
