it's here
Eric Brandwine
ericb at UU.NET
Wed Feb 13 19:06:33 UTC 2002
>>>>> "th" == Tony Hain <alh-ietf at tndh.net> writes:
th> Eric Brandwine wrote:
>> Please, tell your vendors you want line-rate filtering up to layer 4.
th> And when you do so, be prepared to pay what it will cost to deliver
th> that.
Absolutely! And it'll be well worth it too. The up-front cost is
higher, but economy of scale will bring it down. Having routers that
can protect themselves, protect devices behind them, track attacks,
and provide vastly improved visibility into your network will pay for
itself quickly. Imagine, a router that cannot be knocked over!
I have this argument with Chris any my management all the time. Up
through layer 4, headers are well defined, bit fields, 16/32 bit ints,
etc. Filtering at this point is just making a decision to do so, and
designing it into hardware. Juniper did it from the beginning
(mostly), and does it well. More recent Cisco GSR line cards (Engine
4, etc) come close. It's just another ASIC. Filtering past layer 5
is open to argument, that's a much harder job, but up till 4, it's
almost free.
When we installed CF chips in all our M40s, the amount of extra
information that we gained about our network was amazing. We
regularly see multi-gigabit attack flows in the network, and are now
able to mitigate/filter/track them. It's a good thing, and with
general purpose filtering capabilities, you're always finding new uses
for them.
ericb
--
Eric Brandwine | Doing what little one can to increase the general stock
UUNetwork Security | of knowledge is as respectable an object of life, as one
ericb at uu.net | can in any likelihood pursue.
+1 703 886 6038 | - Charles Darwin
Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E
More information about the NANOG
mailing list