[c-nsp] Naming Conventions

Paul Stewart pauls at nexicom.net
Mon Aug 23 12:34:14 EDT 2004


This is a good question...

I don't like the idea of telling the world what kind of equipment we
have at our edge and/or servicing a customer.... we wanted to adopt a
method that is easy for our techs to understand but for an "outsider"
not easy to understand.

As for the port issue, we will probably use slot/port methods which
still doesn't tell the outsider much stuff such as speed, port type
(ATM, Ethernet etc.)  

I guess our approach is to hide as much as possible but not make it
difficult for us to understand our own network.  The geographic naming
is fine too in my opinion (naming the POP's after where they are
located) as it doesn't tell them where in a city the equipment is
located or anything...

Really, our initiative is geared because we use gw-7513, gw-3640 etc.
and are running into duplicates plus we feel it's better to not provide
that information to the world.  If a new BGP exploit comes out for
example, then a hacker knows right away to target gw-7513 versus gw-1710
for example...  

The final thing that we are changing is customer names on interfaces. 
We have a number of customers that we have used
gw-cust-customername.domain.net as example.  This gives too much
information away to people as to who are customers are and how they are
connected...

Take care,

Paul


On Mon, 2004-08-23 at 12:17, james at thehamptonfamily.us wrote:
> I to am in the process of developing a standard naming convention, but was
> afraid of giving away to much info when using model numbers and port IDs
> in names. Am I being to paranoid, or can a hacker who is profiling a
> company actually use this info in some way?
> 
> James
> 
> 
> > On Sun, 22 Aug 2004, Paul Stewart wrote:
> >
> >> We're a mid-sized ISP and I'm looking at trying to standardize our
> >> naming conventions for routers/switches/firewalls.
> >>
> >> Just looking to see what the "norm" is that makes sense.  Currently we
> >> use gw-7513, gw-5513 etc. but this doesn't really make sense nor is it
> >> good from a security perspective in my opinion.
> >
> > You'll probably get lots of different answers to this :-)
> >
> > I've found it's better to name devices based on what they do, not that
> > they are.  That way if you replace that 5513 with a 6513, you don't need
> > to change DNS, and potentially other things like monitoring software,
> > etc...
> >
> > I've worked for a mid-size ISP and designed the network device naming
> > conventions for them, so I have some experience here.  These are just my
> > thoughts.  You may choose to do something completely different.
> >
> > What I've done in the past is something like this:
> >
> > core routers
> > ------------
> > crX.location/pop.state/country.isp.net
> >
> > I see lots of places use either a general location ID, such as "paix01"
> > or or something based on telco CLLI codes, like "nycmny" for New York
> > City (Manhattan).
> >
> > example:
> > cr1.paix01.ca.isp.net
> >
> > This would normally point to the primary loopback interface on the
> > device specific interfaces could be identified in much the same way
> >
> > p1-0-0.cr1.paix01.ca.isp.net
> > t3-2-0-0.cr1.paix01.ca.isp.net
> >
> > customer attach/access routers
> > ------------------------------
> > arX.same-format-as-above
> >
> > Specific interfaces could be identified the same way.  Interfaces with
> > sub-interfaces (frame relay, ATM, 802.1q ethernet trunks, etc) could
> > also be identified the same way
> >
> > t1-1-2-1-24.ar1.paix01.ca.isp.net
> > s2-0-17-0.ar1.paix01.ca.isp.net
> > a2-0-1-305.ar2.paix01.ca.isp.net
> >
> > core switches
> > -------------
> > csX.same-format-as-above
> >
> > If your switches are doing any layer 3 routing, you can label specific
> > interfaces
> >
> > g5-1.cs1.paix01.ca.isp.net
> > f2-48.cs2.paix01.ca.isp.net
> >
> > distribution/access switches
> > ----------------------------
> > asX.same-format-as-above
> >
> > firewalls
> > ---------
> > fwX.same-format-as-above
> >
> > specific interfaces would depend on your firewall's interface naming
> > standards, e.g. ethernet0,1,2.... for Cisco PIXes, etc.  I'd recommend
> > that rather than using things like "dmz1" or "outside0" because that can
> > reveal more than you want about your network architecture.
> >
> > jms
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 



More information about the cisco-nsp mailing list