it's here

• Previous message (by thread): it's here
• Next message (by thread): it's here
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>>>> "js" == Jesper Skriver <jesper at skriver.dk> writes:

js> On Wed, Feb 13, 2002 at 03:55:25PM +0000, Eric Brandwine wrote:

>> Without control plane seperation (and it's not possible with Cisco,
>> Juniper, or most other routers out there), management services are
>> listening on the public network, and that makes this very scary,
>> regardless of filtering policies, etc.

js> interfaces {
...
js> }
js> firewall {
...
js> }

OK, but that's filtering.  The telnet/ssh/snmp daemon is still
listening on all interfaces.  You can't get there, as long as your
filter stands, but those are some hard filters to write.  They're
simple when they're simple, but they're very complex when they're not.
You're relying on your filters, rather than on proper configuration of
the daemon.  On a UNIX system, you can bind a service to all
interfaces (e.g. *.161) or just to a specific interface
(10.1.2.3:161).  This should be possible in general, on all routers.

We HAVE an OOB management network.  This is where all our console
servers, switches (there is no Ethernet in the backbone, don't shove
VLANs at me), etc all live.  This address space is not routed to you.
We like this.  There's no cost issues, we've already paid for it, and
need it for our layer 1/2 network anyway.

But then you plug an IP port on the router (vs. a console port) into
the mgmt net, and you've bridged the public net and the mgmt net.
Virtual routers are capable of maintaining multiple routing tables,
but last I checked, Juniper was not.  So how do you route this?

I send an SNMP query to the device.  It comes in over the mgmt net
(because for me, in my datacenter, the loopback for that device (or
it's mgmt IP) is routed across the mgmt net).  The device recieves,
digests, and decides to respond to this query.  Where does it send it?
My datacenter is routed on the internet, so does it send it out the
public interface?  Or do I route my datacenter over the mgmt net?  You
can start filtering, but then those filters are suddenly very
important, crucial to the proper operation of the network.  Better not
fat finger anything.  Ever.

Or do I move all my backbone facing datacenters into a network that is
not routed on the Internet, but only on the mgmt net?  That has it's
own host of problems.

And you still have to convince the router not to propagate routes that
it learns from the mgmt net into the public network.  This can be done
with filters, but when you have a global mgmt network spread over many
netblocks, regions, etc, it's ugly.

The router needs to act as a router to the public network.  But it
needs to act as a host (with only 1 interface) to the mgmt net.  This
is not how current routers work.

Been there, done that, it's not that simple.

ericb
-- 
Eric Brandwine     |  Put your hand on a hot stove for a minute and it seems
UUNetwork Security |  like an hour, sit next to a pretty woman for and hour
ericb at uu.net       |  and it seems like a minute. That's relativity.
+1 703 886 6038    |      - Albert Einstein
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

• Previous message (by thread): it's here
• Next message (by thread): it's here
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]