[55496] in North American Network Operators' Group
RE: routing between provider edge and CPE routers
daemon@ATHENA.MIT.EDU (Mike Bernico)
Wed Jan 29 17:48:41 2003
Date: Wed, 29 Jan 2003 16:46:56 -0600
From: "Mike Bernico" <mbernico@illinois.net>
To: "Vadim Antonov" <avg@kotovnik.com>
Cc: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
> So, by accepting routes from CPE you create a huge security
vulnerability
> for your customers, and other parties. This practice was understood
as a
> very bad network engineering for decades.
Is there someplace I can find tidbits of information like this? I
haven't been alive decades so I must have missed that memo. Other than
this list I don't know where to find anyone with lots of experience
working for a service provider.
> 1) for single-homed sites use static routing, period. Dynamic routing
> does not add anything useful in this case (if circuit is down, it's
down,
> there are no alternative ways to reach the customer's network).
I agree, and all the feedback I've gotten should help me convince my
peers.
> The "convinience" of having to configure only CPE box is no excuse.
Invest
> some resources in a rather trivial configuration management system,
which
> keeps track of what network addresses were allocated to which
customer,
> and produces corresponding bits of router configuration automatically.
> Most respectable ISPs did that long time ago. That will also reduce
your
> tech support costs.
I've never heard of software like that. Do you have a recommended
vendor? Is it typically developed in house?
> PS. They should really require a test in "defensive networking" before
> letting anyone to touch provider's routers...
What can I say, I must work cheap!
