it's here

• Previous message (by thread): it's here
• Next message (by thread): it's here
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 13 Feb 2002, Ron da Silva wrote:

>
> On Tue, Feb 12, 2002 at 07:32:07PM +0000, Eric Brandwine wrote:
> >
> > >>>>> "sd" == Sean Donelan <sean at donelan.com> writes:
> >
> > sd> On Tue, 12 Feb 2002, Alex Rubenstein wrote:
> > >> http://www.cert.org/advisories/CA-2002-03.html
> >
> > sd> ASN.1 is pretty cool, but I've been wondering are there that
> > sd> many ISPs which allow external SNMP access to their equipment?
> > sd> SNMP is a UDP management protocol, and even under the best of
> > sd> conditions, accepting packets from out of the blue isn't a good
> > sd> idea.
> >
> > Spoofed packets?
> >
> > It's not feasible to filter antispoof at OC-12 or OC-48 line rate on
> > all customer facing interfaces.
>
> But it should be not only feasible, but standard practice.

'Should be' is the key word here... in practical terms though this is not
feasible. There are revisions of oc-12 and oc-48 cards in platforms that
don't support filtering.

Long term all users of internet routing hardware (or routing hardware in
general) should push their vendors to implement line-rate filtering. There
really is no reason NOT to do it is there? Even better would be the
ability to look inside the entire packet, this way the next code-red can
be stopped at a higher level in the network where people that actually
care about the problem can take appropriate action.

-Chris

• Previous message (by thread): it's here
• Next message (by thread): it's here
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]