On Wed, Feb 13, 2002 at 08:38:03AM -0800, jerry scharf wrote:
C'mon guys. Exchange point rate anti-spoof filtering is not necessary to solve this problem.
How do you filter your peers to prevent them from spoofing your infrastructure space? Not everyone filters their custoemrs because either a) they have a large and varying set of routes (and ip sources) they may send at you b) they can't manage it or c) their routers can't filter (fast enough).
This is why there are switches (using vlans if you choose) and router interfaces. Unless you are taking an OC3's worth of management traffic, you create a net just for your management traffic, put in on an interface and hang your entire site's snmp gear off of that. If you want it to be private, GRE and 1918 addresses are your friends, and filter to allow only traffic from those nets. None of this is new or hard.
No it is not but the problem is when extracing snmp data (for billing for example) one can not always use an oob network to extract this data or a vpn solution due to port-cost, etc.. IMHO router vendors should be able to do the various types of filtering at line-rate (strict rpf, loose rpf, "any rpf", rate-limit icmp, filter based on exact config to prevent DoS or track such items). Some vendors did not consider this key functionality when they designed their routers/linecards.
Also, most everyone now supports snmpv3 security, so you can do that as well. (I just do it the old way I know how, so I haven't played much with this.)
Sure this works assuming all your pollers can support snmpv3 without any complicated problems and have resources to allocate to the various projects that collect this data. I'm sure there are a few companies these days that are having a harder time getting the money and resources to perform non-critical upgrades to these systems when the current one works just fine. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.