If any box is on the public Internet without management plane protection, you're going to be compromised. Sure, some may be faster than others, but that doesn't excuse you from rudimentary protections.
If you can't do control plane protection on a device, you should yeet it into the sun, even on an internal network. Lateral movement is a thing. On Mon, Feb 9, 2026 at 1:57 PM Mike Hammett via NANOG <nanog@lists.nanog.org> wrote:
I'd consider that a bad-faith argument.
"What if there is no control/management plane protection to the device?"
If any box is on the public Internet without management plane protection, you're going to be compromised. Sure, some may be faster than others, but that doesn't excuse you from rudimentary protections.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
----- Original Message ----- From: "Barry Greene" <bgreene@senki.org> To: "North American Network Operators Group" <nanog@lists.nanog.org> Cc: "Mike Hammett" <nanog@ics-il.net> Sent: Monday, February 9, 2026 12:53:14 PM Subject: Re: Router Recommendations
Hi Mike,
Where are your security requirements? What is the worth of a router today if you put an v6 ACL on it and you drop all your packets to the punt path? What if you cannot get Netflow/IPFIX/sFlow running at a sample rate with export that does not blogged down the control/management plane? What if there is no control/management plane protection to the device?
Remember, the are a whole class of threat actors that LOVE Mikrotik’s success. It gives them more boxes to ‘own' and use with minimal operational impact to the operator.
Barry
On Feb 10, 2026, at 06:10, Mike Hammett via NANOG <nanog@lists.nanog.org> wrote:
I'm looking for new BGP routers. I'm currently running Mikrotik, which has served me well so far, but looking at interface speed, count, FIB size, etc. and they just aren't going to cut it.
I'm looking for: • Has at least 6x 100G ports • Has a smattering of 10G/25G ports • Has meaningful packet buffers • Routes in hardware at least 2m routes combined of IPv4 and IPv6, more is better • Has reasonably low power usage, I don't need 1 kw going to a router • Is cost-effective • Used is fine
I like how the MX301 looks, but it's way more than I'd want to spend, primarily because there really isn't a used market for them yet. Arista and Cisco NCS are close, but to check all of the boxes, you're up to about $15k - $20k. To get to $5k or less, you're compromising on at least two of the things I'm looking for. EdgeCore and UfiSpace may have some models that are in the $5k - $8k range, once you purchase OcNOS.
I'd have no problem with the EdgeCore and UfiSpace direction, but I wanted to make sure I wasn't leaving anything out of consideration.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ANH4UUU6...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/UW2FQIME...