Telco's write best practices for packet switching networks

• Previous message (by thread): Telco's write best practices for packet switching networks
• Next message (by thread): Telco's write best practices for packet switching networks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hurray, my favorite arguement!

On Thu, 7 Mar 2002, Joe Abley wrote:

>
> On Thursday, March 7, 2002, at 04:37 , Sean Donelan wrote:
>
> > My comment was originally prompted by the meeting minutes which
> > reported on the survey data showing that 100% of carriers are
> > implementing
> > firewalls in their gateways.  The 100% is what caught my eye.  As the
> > topic comes up in various places, large ISPs repeatedly say they are
> > unable to implement filters or packet screening on their high-speed
> > links such as at peering points.
>
> How recently are ISPs repeatedly saying this? Packet filtering on
> high-speed optical interfaces has been possible for some time, depending
> on your router vendor, for some value of "packet filtering".
>

'now' would be a good starting time, but atleast 2 years we've been saying
it (if not longer)

> I could understand it if the issue of how to manage packet filter
> definitions on routers as the network changes was a problem. But if I
> would be slightly surprised if there was still a universal voice saying
> "we absolutely cannot filter packets at the edge, because the vendors
> won't let us".
>

"we absolutely cannot filter packets at the edge, because the vendors
won't let us"

The equipment fries, the equipment does not support acls, the acls simply
don't work... I don't think I can put it any more clearly. There has got
to be a push from the USERS of this equipment (not just one user, all
users) to get line rate, full packet filtering capability on ALL
interfaces on EVERY router, everything from the smallest foundry or 1700
to the largest 12416 or M160 or Avici. If users don't start asking for
this 2 years ago it'll be another 4-5 years before its a reality. The
vendors will NOT push forward on this without a significant cash incentive
(like everyone saying: I need this so do it for me).

> To meet the requirements of what I understood the original quoted
> fragment to be saying, it's perhaps not necessary to packet filter at
> the edge, anyway. You can apply a firewall to just the loopback
> interface of a junos box and arguably consider your control element
> firewalled.
>

Yes, if this is about the original discussion point,
firewalling/protecting the control elements, then a loopback filter (or
similar technology on a non-juniper platform) would suffice.

• Previous message (by thread): Telco's write best practices for packet switching networks
• Next message (by thread): Telco's write best practices for packet switching networks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]