On Wed, 13 Feb 2002, Ron da Silva wrote:
On Tue, Feb 12, 2002 at 07:32:07PM +0000, Eric Brandwine wrote:
> "sd" == Sean Donelan <sean@donelan.com> writes:
sd> On Tue, 12 Feb 2002, Alex Rubenstein wrote:
sd> ASN.1 is pretty cool, but I've been wondering are there that sd> many ISPs which allow external SNMP access to their equipment? sd> SNMP is a UDP management protocol, and even under the best of sd> conditions, accepting packets from out of the blue isn't a good sd> idea.
Spoofed packets?
It's not feasible to filter antispoof at OC-12 or OC-48 line rate on all customer facing interfaces.
But it should be not only feasible, but standard practice.
'Should be' is the key word here... in practical terms though this is not feasible. There are revisions of oc-12 and oc-48 cards in platforms that don't support filtering. Long term all users of internet routing hardware (or routing hardware in general) should push their vendors to implement line-rate filtering. There really is no reason NOT to do it is there? Even better would be the ability to look inside the entire packet, this way the next code-red can be stopped at a higher level in the network where people that actually care about the problem can take appropriate action. -Chris