[c-nsp] CoPP

Mike Bernico mbernico at illinois.net
Thu Apr 14 10:39:25 EDT 2005


I definitely agree with your strategy.  

The first step in securing the infrastructure should be filters at the
network edge.  For a service provider this is not always an easy task,
but it is definitely worth the effort and investment.  

While the above is good and may stop most attacks, edge filtering is
just an M&M approach to security (hard shell, soft chocolate).  That's
why, as you said, layers of security are best.  This is the heart of the
defense in depth strategy security people talk about so much.  

The trick in deploying CoPP or any technique in a layered filtering
strategy is being specific enough to be secure, but still being general
enough so that your rules don't turn into an administrative nightmare.
No one really wants to have to adjust an ACL every time a new BGP
customer is added, but everyone should want a pretty specific set of
rules.  It's a balancing act with no perfect solution IMO.

Mike Bernico



-----Original Message-----
From: Rodney Dunn [mailto:rodunn at cisco.com] 
Sent: Thursday, April 14, 2005 7:31 AM
To: Mike Bernico
Cc: Roger Weeks; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] CoPP

I get asked this question a lot about how to protect the
box. The best security IMO in this area. You block at
the edges and as you move to the devices you block as soon
as possible inside the device.

Then as you move "up the stack" if you will towards the RP
you hopefully become more granular about what you let through
and therefore reduce the traffic that can get to the RP.

You will see more and more things coming out that will
help the user do this in a more scalable way.

ie: like the 65xx that has some rate limiting capability in
hardware

I did some poking around here and thought there was some
pretty good stuff.

http://www.cisco.com/security


Rodney

On Tue, Apr 12, 2005 at 03:36:41PM -0500, Mike Bernico wrote:
> 
> CoPP is definitely a good thing, but it is not a silver bullet.  We've
> had some luck with it, but if you throw enough traffic at the box it
> will still die.  It does tend to make it hard to kill however, and we
> prefer it over rACLs where available.  
> 
> 12.0.30S on the GSR is supposed to have distributed CoPP, should be
even
> better.
> 
> Mike Bernico
> 
> 
> -----Original Message-----
> From: Roger Weeks [mailto:rjw at mcn.org] 
> Sent: Tuesday, April 12, 2005 11:48 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] CoPP
> 
> This is very interesting, I haven't looked at CoPP before but as an
ISP
> 
> it sounds like something we should be looking at.
> 
> Is anyone else using CoPP in their infrastructure?  I'd like to hear  
> about your experiences.
> 
> Roger Weeks
> 
> On Apr 12, 2005, at 9:00 AM, cisco-nsp-request at puck.nether.net wrote:
> 
> > Date: Tue, 12 Apr 2005 10:16:44 -0400
> > From: Rodney Dunn <rodunn at cisco.com>
> > Subject: Re: [c-nsp] Filtering on sender IP#
> > To: Mikael Carlander <rip at kth.se>
> > Cc: cisco-nsp at puck.nether.net
> >
> > You can do it per-interface or globally via CoPP.
> >
> > http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/ 
> > products_feature_guide09186a00801afad4.html
> >
> > We are working very hard to try and push the filtering down in  
> > hardware with CoPP and there will be more developments in this area
as
> 
> > we move forward so it would be a good idea to become familar with
this
> 
> > conept.
> >
> --
> Roger J. Weeks
> Systems & Network Administrator
> Mendocino Community Network
> Now offering DSL in Northern California
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list