routing between provider edge and CPE routers
Mike Bernico
mbernico at illinois.net
Wed Jan 29 22:46:56 UTC 2003
> So, by accepting routes from CPE you create a huge security
vulnerability
> for your customers, and other parties. This practice was understood
as a
> very bad network engineering for decades.
Is there someplace I can find tidbits of information like this? I
haven't been alive decades so I must have missed that memo. Other than
this list I don't know where to find anyone with lots of experience
working for a service provider.
> 1) for single-homed sites use static routing, period. Dynamic routing
> does not add anything useful in this case (if circuit is down, it's
down,
> there are no alternative ways to reach the customer's network).
I agree, and all the feedback I've gotten should help me convince my
peers.
> The "convinience" of having to configure only CPE box is no excuse.
Invest
> some resources in a rather trivial configuration management system,
which
> keeps track of what network addresses were allocated to which
customer,
> and produces corresponding bits of router configuration automatically.
> Most respectable ISPs did that long time ago. That will also reduce
your
> tech support costs.
I've never heard of software like that. Do you have a recommended
vendor? Is it typically developed in house?
> PS. They should really require a test in "defensive networking" before
> letting anyone to touch provider's routers...
What can I say, I must work cheap!
More information about the NANOG
mailing list