"rds" == Ron da Silva <ron@aol.net> writes:
sd> ASN.1 is pretty cool, but I've been wondering are there that sd> many ISPs which allow external SNMP access to their equipment? sd> SNMP is a UDP management protocol, and even under the best of sd> conditions, accepting packets from out of the blue isn't a good sd> idea.
Spoofed packets?
It's not feasible to filter antispoof at OC-12 or OC-48 line rate on all customer facing interfaces.
rds> But it should be not only feasible, but standard practice. It's impossible using most high bandwidth gear that's out there. At these speeds, you can either route the bits, or look at them, but not both. Juniper is the one vendor that's given us packet inspection abilities that scale with bandwidth. We have non-Juniper routers. Please, tell your vendors you want line-rate filtering up to layer 4. We're tired of being told "But you're the only ones that ask for this". Without control plane seperation (and it's not possible with Cisco, Juniper, or most other routers out there), management services are listening on the public network, and that makes this very scary, regardless of filtering policies, etc. ericb -- Eric Brandwine | "Intel Inside" is a Government Warning requied by Law. UUNetwork Security | ericb@uu.net | +1 703 886 6038 | - Usenet Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E