[46032] in North American Network Operators' Group
Re: Telco's write best practices for packet switching networks
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Fri Mar 8 21:10:44 2002
Date: Fri, 8 Mar 2002 21:07:43 -0500
From: Leo Bicknell <bicknell@ufp.org>
To: Vadim Antonov <avg@exigengroup.com>
Cc: nanog@merit.edu
Message-ID: <20020309020743.GA64327@ussenterprise.ufp.org>
Mail-Followup-To: Vadim Antonov <avg@exigengroup.com>,
nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.33.0203081648540.20742-100000@arch.exigengroup.com>
Errors-To: owner-nanog-outgoing@merit.edu
In a message written on Fri, Mar 08, 2002 at 05:52:46PM -0800, Vadim Antonov wrote:
> 1) isolation of control traffic from payload traffic to eliminate
> possible security breaches.
[snip]
> On #1, Internet routing protocols are notoriously weak. Using globally
> routable frames to carry neighbour-to-neighbour routing information is a
> recipe for disaster (i think everyone on this list can think of few
> not-yet-plugged holes arising from this approach).
This is an area of interest of mine when looking at IPv6. IPv6
has the notion of link local IP addresses, that can't (for some
definition of can't) be accessed unless you are on that link.
This could go a long way to fixing the problems you mention, but
it introduces some additional configuration issues. In particular,
the current practice of using the same link local addresses on
every link means you would need to configure both the address and
the port.
In any event, I wonder if there is an opportunity here for additional
security. Although any changes are clearly years off.
--
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
