[c-nsp] CoPP

Rodney Dunn rodunn at cisco.com
Thu Apr 14 10:52:33 EDT 2005


And even for traffic that does reach the RP there
should be some consideration to police at some
level in case spoofed traffic does match a class
that you permit. The trick as you said is knowing
what those limits are.

The goal is as you move up the stack you can apply
more intensive filtering (ie: stateful TCP inspection type
stuff). The less non valid traffic presented to that level
the better.

Rodney


On Thu, Apr 14, 2005 at 09:39:25AM -0500, Mike Bernico wrote:
> I definitely agree with your strategy.  
> 
> The first step in securing the infrastructure should be filters at the
> network edge.  For a service provider this is not always an easy task,
> but it is definitely worth the effort and investment.  
> 
> While the above is good and may stop most attacks, edge filtering is
> just an M&M approach to security (hard shell, soft chocolate).  That's
> why, as you said, layers of security are best.  This is the heart of the
> defense in depth strategy security people talk about so much.  
> 
> The trick in deploying CoPP or any technique in a layered filtering
> strategy is being specific enough to be secure, but still being general
> enough so that your rules don't turn into an administrative nightmare.
> No one really wants to have to adjust an ACL every time a new BGP
> customer is added, but everyone should want a pretty specific set of
> rules.  It's a balancing act with no perfect solution IMO.
> 
> Mike Bernico
> 
> 
> 
> -----Original Message-----
> From: Rodney Dunn [mailto:rodunn at cisco.com] 
> Sent: Thursday, April 14, 2005 7:31 AM
> To: Mike Bernico
> Cc: Roger Weeks; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] CoPP
> 
> I get asked this question a lot about how to protect the
> box. The best security IMO in this area. You block at
> the edges and as you move to the devices you block as soon
> as possible inside the device.
> 
> Then as you move "up the stack" if you will towards the RP
> you hopefully become more granular about what you let through
> and therefore reduce the traffic that can get to the RP.
> 
> You will see more and more things coming out that will
> help the user do this in a more scalable way.
> 
> ie: like the 65xx that has some rate limiting capability in
> hardware
> 
> I did some poking around here and thought there was some
> pretty good stuff.
> 
> http://www.cisco.com/security
> 
> 
> Rodney
> 
> On Tue, Apr 12, 2005 at 03:36:41PM -0500, Mike Bernico wrote:
> > 
> > CoPP is definitely a good thing, but it is not a silver bullet.  We've
> > had some luck with it, but if you throw enough traffic at the box it
> > will still die.  It does tend to make it hard to kill however, and we
> > prefer it over rACLs where available.  
> > 
> > 12.0.30S on the GSR is supposed to have distributed CoPP, should be
> even
> > better.
> > 
> > Mike Bernico
> > 
> > 
> > -----Original Message-----
> > From: Roger Weeks [mailto:rjw at mcn.org] 
> > Sent: Tuesday, April 12, 2005 11:48 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] CoPP
> > 
> > This is very interesting, I haven't looked at CoPP before but as an
> ISP
> > 
> > it sounds like something we should be looking at.
> > 
> > Is anyone else using CoPP in their infrastructure?  I'd like to hear  
> > about your experiences.
> > 
> > Roger Weeks
> > 
> > On Apr 12, 2005, at 9:00 AM, cisco-nsp-request at puck.nether.net wrote:
> > 
> > > Date: Tue, 12 Apr 2005 10:16:44 -0400
> > > From: Rodney Dunn <rodunn at cisco.com>
> > > Subject: Re: [c-nsp] Filtering on sender IP#
> > > To: Mikael Carlander <rip at kth.se>
> > > Cc: cisco-nsp at puck.nether.net
> > >
> > > You can do it per-interface or globally via CoPP.
> > >
> > > http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/ 
> > > products_feature_guide09186a00801afad4.html
> > >
> > > We are working very hard to try and push the filtering down in  
> > > hardware with CoPP and there will be more developments in this area
> as
> > 
> > > we move forward so it would be a good idea to become familar with
> this
> > 
> > > conept.
> > >
> > --
> > Roger J. Weeks
> > Systems & Network Administrator
> > Mendocino Community Network
> > Now offering DSL in Northern California
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list