Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: it's here

  • From: Sean Donelan
  • Date: Tue Feb 12 15:19:40 2002



On 12 Feb 2002, Eric Brandwine wrote:
> sd> SNMP is a UDP management protocol, and even under the best of
> sd> conditions, accepting packets from out of the blue isn't a good
> sd> idea.
>
> Spoofed packets?
>
> It's not feasible to filter antispoof at OC-12 or OC-48 line rate on
> all customer facing interfaces.

I can remember many cases when my HP Openview network discovery process
would attempt to map the entire Internet because it strayed into a
peers network.  So it may fairly common.

At least one provider has told me they don't use in-band management for
their network infrastructure.  They have a completely seperate frame
network connecting to POP management LANs which in turn is connected to
seperate management ports on the equipment.  I don't know how common this
is among large providers.

I had a smaller network, so I filtered the IP block used for my management
LAN from all external sources (and "logged" the ACL's so I  picked up the
stray packets from places I missed).  A "real" packet should never
be sourced from outside my network topology, so even if you spoofed the
IP address the topology would block it. Of course, this depended on
topological integrity.  I can understand if larger providers why large
can't do that, it doesn't scale.

But there are a lot of small and medium providers that can do it.

I agree, its a glass house issue.  I was just wondering how bad of an
issue it really is.





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.