Re: not rewriting next-hop, pointing default, ...
On Sep 11 15:23, Randy Bush wrote: } Subject: Re: not rewriting next-hop, pointing default, ... % I also think it may be time we refuse to peer with anyone % who inhibits LSR, as it seems that validation is now mandatory. % I think we should be sending out a "LSR is mandatory" notice % to our peers. Comments? LSR is actually a significant security issue. So, while I do understand and am sympathetic to the operational debugging issues that LSR addresses, I think that requiring a peer to enable LSR more than 2 hops inside their network from the outside world is unreasonable. In a world where SSH were available in cisco routers and/or IPsec were more widely deployed, I might have different views. However, we are where we are. Regards, Ran rja@home.net
LSR is actually a significant security issue. So, while I do understand and am sympathetic to the operational debugging issues that LSR addresses, I think that requiring a peer to enable LSR more than 2 hops inside their network from the outside world is unreasonable.
So, you're comfortable with asking for LSR at the IX and a hop behind?
In a world where SSH were available in cisco routers and/or IPsec were more widely deployed, I might have different views.
K5 does not give you sufficient warm fuzzies? randy
On Thu, Sep 11, 1997 at 03:54:00PM -0800, Randy Bush wrote:
LSR is actually a significant security issue. So, while I do understand and am sympathetic to the operational debugging issues that LSR addresses, I think that requiring a peer to enable LSR more than 2 hops inside their network from the outside world is unreasonable.
So, you're comfortable with asking for LSR at the IX and a hop behind?
In a world where SSH were available in cisco routers and/or IPsec were more widely deployed, I might have different views.
K5 does not give you sufficient warm fuzzies?
randy
Get a few connections to your core hardware hijacked and you'll start installing hardwired modems on console ports and shutting off access to the telnet side entirely. That's a SERIOUS pain in the arse. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex modem support is now available Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines! Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
On Thu, Sep 11, 1997 at 03:45:22PM -0700, Ran Atkinson wrote:
On Sep 11 15:23, Randy Bush wrote: } Subject: Re: not rewriting next-hop, pointing default, ...
% I also think it may be time we refuse to peer with anyone % who inhibits LSR, as it seems that validation is now mandatory. % I think we should be sending out a "LSR is mandatory" notice % to our peers. Comments?
LSR is actually a significant security issue. So, while I do understand and am sympathetic to the operational debugging issues that LSR addresses, I think that requiring a peer to enable LSR more than 2 hops inside their network from the outside world is unreasonable.
In a world where SSH were available in cisco routers and/or IPsec were more widely deployed, I might have different views. However, we are where we are.
Regards,
Ran rja@home.net
I'd love to be able to reasonably run with LSR enabled. However, we then become the "bounce point" for all kinds of fun stuff, including denial of service attacks launched against *OTHERS*. Its off at our entrance routers for this reason. If EVERY provider shut it off EXCEPT on the core (ie: it was on where only network personnel could get to and use it) I wouldn't mind. But with it on all the way to the end customer circuit in many cases enabling it on your core can create some serious security problems. We *used* to run with it on, and shut it off for exactly this reason. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex modem support is now available Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines! Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
participants (3)
-
Karl Denninger -
Randy Bush -
rja@corp.home.net