Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: route authentication

  • From: Rodney Thayer
  • Date: Tue Jun 04 11:21:43 2002

When I've tried asking about this I generally am told...

  (a) it was perceived to cause performance issues,
  (b) the routing software is so brittle that adding this feature
      is considered too high a risk,
  (c) they person at the other end
      didn't know how to enable it so you couldn't do it [in other words,
      there are urban legends about clueless network engineers too.]
  (d) no hacker could figure out how to get into the infrastructure far
      enough to attack that so it's not worth attacking (I consider this
      excuse invalid but that's just my opinion.  I can find Zebra and get
      into a colo, I assume the bad guys could if they felt like it.)

This also comes up at NDSS periodically, I believe.  You might check the
archives for that conference to see if there are papers on the topic.

I'm sure this august body can come up with some more data to identify
consensus reasons.

At 10:20 AM 6/4/02 -0400, batz wrote:

On Tue, 4 Jun 2002, Sean Donelan wrote:

:Some ISPs are practically religious about using them, usually the result
:of a single person at the ISP pushing it.  But for the most part it hasn't
:really taken hold in the professional security consulting field.

I would suggest that it is also ISP's who do not hire security consultants.
Consulting fees tend to come from departmental budgets, and almost
every network engineer I have ever met fancies themselves a security
expert. There isn't alot of incentive for them to get a third party
opinion, because of a lack of faith in the clue of most consultants, and
a general aversion to having anyone touch the delicate house of cards
many network engineers have constructed.

Maybe Cisco could add this as a default requirement of the configuration
that had to be explicitly disabled? In fact, it would be nice if all
protocol configurations had to have their authentication manually
disabled.



--
batz




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.