North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
NSA's recommendation for classfull routing (was Re: IP address fee??)
- From: Sean Donelan
- Date: Fri Sep 06 18:06:55 2002
On Fri, 6 Sep 2002, Iljitsch van Beijnum wrote:
> Ok, if I connect to their network I'll remove "ip subnet-zero" and "ip
> classless" from my configs to revert to the defaults that still reflect
> the pre-1993 state of affairs, but if they want to connect to "our"
> network, they should play nice and follow the rules we use here.
The National Security Agency has issued the following principles and
guidance for security configuration of IP routers, with detailed
instructions for Cisco System routers. A brief passage from the document:
By default, a Cisco router will make an attempt to route almost any IP
packet. If a packet arrives addressed to a subnet of a network that has
no default network route, then IOS will, with IP classless routing,
forward the packet along the best available route to a supernet of the
addressed subnet. This feature is often not needed. On routers where IP
classless routing is not needed, disable it as shown below.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# no ip classless
Geez, people are worried about the NSA tapping the Internet. How about
worrying the NSA connecting misconfigured routers to the Internet?
Yes, even the NSA has bad network days. They just don't like to talk