On Mon, Sep 17, 2001 at 02:32:56PM -0700, Roeland Meyer wrote:
Why, IGP shouldn't even be visible from outside the border, neh? Internal issues are, internal issues. If it leaks, plug the leak.
Randy said _think_ about it. Does your IGP run over IP? Might that be a vector? Might your customers have the ability to do things that non-customers cannot? Does your architecture require you to mark all customer-facing interfaces as "passive"? Do you verify regularly that you don't have a misconfiguration in this area? Are you vulnerable to arp games at your point of customer-attach? Do you have SNMP access to your routers carefully filtered? Are you running multicast? Are there bugs that affect only multicast routing? Are you running code that is vulnerable to those bugs? I'm sure there are other avenues of attack, but these are just a few that we've considered here. If I can compromise your IGP I have a very good chance of being able to melt down your entire network, or at least large portions of it, almost at will. In large networks, IGPs tend to go absolutely haywire when they fail and the resulting implosion often obliterates most traces of the event that started it -- at the very least, one has to sift through mountains of log data to find the beginning of the end. Having been through this once, and working with folks who went through it elsewhere on even larger networks, I assure you that recovery time from such an event can stretch from several hours to a few days. --Jeff