Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

NSA's recommendation for classfull routing (was Re: IP address fee??)

  • From: Sean Donelan
  • Date: Fri Sep 06 18:06:55 2002

On Fri, 6 Sep 2002, Iljitsch van Beijnum wrote:
> Ok, if I connect to their network I'll remove "ip subnet-zero" and "ip
> classless" from my configs to revert to the defaults that still reflect
> the pre-1993 state of affairs, but if they want to connect to "our"
> network, they should play nice and follow the rules we use here.

The National Security Agency has issued the following principles and
guidance for security configuration of IP routers, with detailed
instructions for Cisco System routers.  A brief passage from the document:

   By default, a Cisco router will make an attempt to route almost any IP
   packet. If a packet arrives addressed to a subnet of a network that has
   no default network route, then IOS will, with IP classless routing,
   forward the packet along the best available route to a supernet of the
   addressed subnet. This feature is often not needed. On routers where IP
   classless routing is not needed, disable it as shown below.

       Central# config t
       Enter configuration commands, one per line. End with CNTL/Z.
       Central(config)# no ip classless
       Central(config)# exit

Geez, people are worried about the NSA tapping the Internet.  How about
worrying the NSA connecting misconfigured routers to the Internet?

Yes, even the NSA has bad network days.  They just don't like to talk
about it.

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.