Ethernet EP - MAC Address Filtering

Deepak Jain deepak at ai.net
Mon Feb 11 22:46:33 UTC 2002


"Also while Deepak pointed out that you could perform line rate packet
filtering only allowing packets to valid destinations on your network,
this would only stop someone defaulting you but would not stop someone
repointing next hop to valid destinations on your network."

Besides politics, and QoS issues, is the latter scenario worth wasting
management time on?

I always thought that the biggest concern for most networks was a "peer"
defaulting to you such that your interface would then forward the packet to
its final destination [ostensibly a peer of yours at the same IX, but
potentially across your network first].

I would think that if you did mac address exclusion [mac addresses of those
you don't peer with] and ingress destination filtering a large percentage of
the problem would vanish.

Then again, if you are just doing mac address exclusion, it doesn't really
keep someone from changing their mac address in software as often as they
please.

If you did inclusion filtering [only those on the allow list] then anytime
someone swaps a  card, you lose a peer.

Hmmm.

I guess that's the whole point of private cross connects.

Deepak Jain
AiNET

-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
David McGaugh
Sent: Monday, February 11, 2002 3:15 PM
To: Lane Patterson
Cc: nanog at merit.edu
Subject: Re: Ethernet EP - MAC Address Filtering


	I would be planning deploy it on the Juniper Platforms and it appears
that at least the 4 port FE PICs support it as well. I would imagine
(without actually investigating it) you could do some sort of port
security on the 65xx/76xx platform though.

	Primarily I am questioning whether it would be scalable in the long
term or whether it would become more trouble than what it would be
worth.

	Also while Deepak pointed out that you could perform line rate packet
filtering only allowing packets to valid destinations on your network,
this would only stop someone defaulting you but would not stop someone
repointing next hop to valid destinations on your network.


-Dave


Lane Patterson wrote:
>
> I'm aware that Juniper GigE interfaces support a mac-filter-list.  I'm
> not well versed on which versions of Cisco router products support this
> well (and line rate), but I didn't think GSRs and 7xxx had any support for
> this.  Are the L2/L3 family (65xx, 76xx) able to handle mac-filters at
> line rate w/o a slow path?
>
> I too would be interested in knowing if folks perform mac-filtering.
>
> Certainly there are other measures you can take as well, such as scripting
> some default-pointing traceroute checks, to check both peers and non-peers
> on an IXP fabric.  These have been documented at various times, and Avi
> at one point posted some form of this to Nanog (moons ago...search
archives).
>
> My impression of "best practices" would be to:
>
>         1.  implement mac-filter or mac-counters to prevent
>                 any illegally statically routed non-peer traffic.
>         2.  implement traceroute scripts to check that peers are
>                 not defaulting any partial transit thru you.
>
> Feedback welcome :-)
>
> Cheers,
> -Lane
>
> On Fri, Feb 08, 2002 at 10:29:07AM -0800, David McGaugh
<david_mcgaugh at eli.net> wrote:
>
> > Hello NANOG,
> >
> >       Just curious if anyone is performing MAC Address Filtering at any
of
> > the Ethernet Exchange Points. If so has it been found to be easy to
> > administer or difficult where by peers may be changing Layer 3 devices
> > or Interfaces without notice? Alternately is MAC Address Filtering
> > considered an unneeded security measure?
> >
> > Thanks,
> > Dave
> Content-Description: Card for Dave McGaugh




More information about the NANOG mailing list