it's here

Eric Brandwine ericb at UU.NET
Wed Feb 13 15:55:25 UTC 2002


>>>>> "rds" == Ron da Silva <ron at aol.net> writes:

>> >> http://www.cert.org/advisories/CA-2002-03.html
>> 
sd> ASN.1 is pretty cool, but I've been wondering are there that
sd> many ISPs which allow external SNMP access to their equipment?
sd> SNMP is a UDP management protocol, and even under the best of
sd> conditions, accepting packets from out of the blue isn't a good
sd> idea.

>> Spoofed packets?

>> It's not feasible to filter antispoof at OC-12 or OC-48 line rate on
>> all customer facing interfaces.

rds> But it should be not only feasible, but standard practice.

It's impossible using most high bandwidth gear that's out there.  At
these speeds, you can either route the bits, or look at them, but not
both.  Juniper is the one vendor that's given us packet inspection
abilities that scale with bandwidth.  We have non-Juniper routers.

Please, tell your vendors you want line-rate filtering up to layer 4.
We're tired of being told "But you're the only ones that ask for
this".

Without control plane seperation (and it's not possible with Cisco,
Juniper, or most other routers out there), management services are
listening on the public network, and that makes this very scary,
regardless of filtering policies, etc.

ericb
-- 
Eric Brandwine     |  "Intel Inside" is a Government Warning requied by Law.
UUNetwork Security |
ericb at uu.net       |
+1 703 886 6038    |      - Usenet
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E



More information about the NANOG mailing list