RE: routing between provider edge and CPE routers
So, by accepting routes from CPE you create a huge security vulnerability for your customers, and other parties. This practice was understood as a very bad network engineering for decades.
Is there someplace I can find tidbits of information like this? I haven't been alive decades so I must have missed that memo. Other than this list I don't know where to find anyone with lots of experience working for a service provider.
1) for single-homed sites use static routing, period. Dynamic routing does not add anything useful in this case (if circuit is down, it's down, there are no alternative ways to reach the customer's network).
I agree, and all the feedback I've gotten should help me convince my peers.
The "convinience" of having to configure only CPE box is no excuse. Invest some resources in a rather trivial configuration management system, which keeps track of what network addresses were allocated to which customer, and produces corresponding bits of router configuration automatically. Most respectable ISPs did that long time ago. That will also reduce your tech support costs.
I've never heard of software like that. Do you have a recommended vendor? Is it typically developed in house?
PS. They should really require a test in "defensive networking" before letting anyone to touch provider's routers...
What can I say, I must work cheap!
On Wed, 29 Jan 2003, Mike Bernico wrote:
Is there someplace I can find tidbits of information like this? I haven't been alive decades so I must have missed that memo. Other than this list I don't know where to find anyone with lots of experience working for a service provider.
Well, this list... in the old archives. The current backbone design issues were pretty much tossed around in 93-94, the "defensive networking" concept included.
I've never heard of software like that. Do you have a recommended vendor? Is it typically developed in house?
There's no sustainable market for those, so they're always home-built... Often it is just a collection of scripts and some RCS to keep configs in.
What can I say, I must work cheap!
:) --vadim
participants (2)
-
Mike Bernico
-
Vadim Antonov