North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: not rewriting next-hop, pointing default, ...
On Thu, Sep 11, 1997 at 03:45:22PM -0700, Ran Atkinson wrote: > On Sep 11 15:23, Randy Bush wrote: > } Subject: Re: not rewriting next-hop, pointing default, ... > > % I also think it may be time we refuse to peer with anyone > % who inhibits LSR, as it seems that validation is now mandatory. > % I think we should be sending out a "LSR is mandatory" notice > % to our peers. Comments? > > LSR is actually a significant security issue. So, while I do > understand and am sympathetic to the operational debugging > issues that LSR addresses, I think that requiring a peer to > enable LSR more than 2 hops inside their network from the > outside world is unreasonable. > > In a world where SSH were available in cisco routers and/or > IPsec were more widely deployed, I might have different views. > However, we are where we are. > > Regards, > > Ran > firstname.lastname@example.org I'd love to be able to reasonably run with LSR enabled. However, we then become the "bounce point" for all kinds of fun stuff, including denial of service attacks launched against *OTHERS*. Its off at our entrance routers for this reason. If EVERY provider shut it off EXCEPT on the core (ie: it was on where only network personnel could get to and use it) I wouldn't mind. But with it on all the way to the end customer circuit in many cases enabling it on your core can create some serious security problems. We *used* to run with it on, and shut it off for exactly this reason. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex modem support is now available Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines! Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal