[c-nsp] Best practice infrastructure ACLs and Rate-Limiting
Saku Ytti
saku+cisco-nsp at ytti.fi
Fri Jun 29 03:51:08 EDT 2007
On (2007-06-29 09:28 +0200), Peter Basquiat wrote:
> with rate-limit, MQC or CoPP if supported?
I use MQC+ACL in AS border, to drop everything except rate-limited ICMP and
UDP 'traceroute port range' to core links and core loops. (I don't advertise
PE side of the customer point-to-points so they are unattackable outside the
PE, I'd argue that it's probably most difficult to protect attack points in
your network). Of course there are few 'holes' in the iACL, eg. to connected
eBGP speakers to talk to each other.
I use CoPP to protect from attacks inside my AS#. However in Cisco world
there are quite many catches in CoPP, eg. it's mostly not done in hardware,
except in 7600 and IOS-XR boxes (GSR+IOS does not do it in hardware).
Mostly it does not work in conjunction with MPLS explicit null (except
in 7600). IPv6 support is non-existing. Luckily though CoPP is not nearly
as important as proper MQC+ACL in AS borders, as that's really the most
common place to get abuse from.
On slightly related issue, while compiling iACL, remember to block any
traffic originating from your own PA blocks that are coming in from
other AS#'s. I wouldn't recommend blocking unassigned nets, unless
you can guarantee that your network won't be running in auto-pilot
after you've left the company.
> Whats your guys approach and what do you recommend?
> Would be nice to discuss this a little bit and hear good strategie to make
> the whole internet
> more safe :-)
>
> PS: I know there are many documents on this, but hearing about actual
> approachs on a dynamic
> mailling list is much more instructive.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
++ytti
More information about the cisco-nsp
mailing list