"js" == Jesper Skriver <jesper@skriver.dk> writes:
js> On Wed, Feb 13, 2002 at 03:55:25PM +0000, Eric Brandwine wrote:
Without control plane seperation (and it's not possible with Cisco, Juniper, or most other routers out there), management services are listening on the public network, and that makes this very scary, regardless of filtering policies, etc.
js> interfaces { ... js> } js> firewall { ... js> } OK, but that's filtering. The telnet/ssh/snmp daemon is still listening on all interfaces. You can't get there, as long as your filter stands, but those are some hard filters to write. They're simple when they're simple, but they're very complex when they're not. You're relying on your filters, rather than on proper configuration of the daemon. On a UNIX system, you can bind a service to all interfaces (e.g. *.161) or just to a specific interface (10.1.2.3:161). This should be possible in general, on all routers. We HAVE an OOB management network. This is where all our console servers, switches (there is no Ethernet in the backbone, don't shove VLANs at me), etc all live. This address space is not routed to you. We like this. There's no cost issues, we've already paid for it, and need it for our layer 1/2 network anyway. But then you plug an IP port on the router (vs. a console port) into the mgmt net, and you've bridged the public net and the mgmt net. Virtual routers are capable of maintaining multiple routing tables, but last I checked, Juniper was not. So how do you route this? I send an SNMP query to the device. It comes in over the mgmt net (because for me, in my datacenter, the loopback for that device (or it's mgmt IP) is routed across the mgmt net). The device recieves, digests, and decides to respond to this query. Where does it send it? My datacenter is routed on the internet, so does it send it out the public interface? Or do I route my datacenter over the mgmt net? You can start filtering, but then those filters are suddenly very important, crucial to the proper operation of the network. Better not fat finger anything. Ever. Or do I move all my backbone facing datacenters into a network that is not routed on the Internet, but only on the mgmt net? That has it's own host of problems. And you still have to convince the router not to propagate routes that it learns from the mgmt net into the public network. This can be done with filters, but when you have a global mgmt network spread over many netblocks, regions, etc, it's ugly. The router needs to act as a router to the public network. But it needs to act as a host (with only 1 interface) to the mgmt net. This is not how current routers work. Been there, done that, it's not that simple. ericb -- Eric Brandwine | Put your hand on a hot stove for a minute and it seems UUNetwork Security | like an hour, sit next to a pretty woman for and hour ericb@uu.net | and it seems like a minute. That's relativity. +1 703 886 6038 | - Albert Einstein Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E