[c-nsp] Hiding MPLS L3VPN hops from the CE
Mark Tinka
mtinka at globaltransit.net
Tue Aug 24 23:42:18 EDT 2010
On Wednesday, August 25, 2010 05:15:43 am Gert Doering
wrote:
> I don't really want to start a heated debate on whether
> topology hiding is good or bad -
I guess that ship has sailed :-).
> but it comes with some
> consequences :-)
We prefer not to hide our topology. Granted, for customer
VPN's, we tend to implement l2vpn's over l3vpn's for obvious
reasons. But since a number of our customers are ISP's, and
we know a bunch of users have some clue re: traceroutes,
MTR, e.t.c., we try not to make their lives hard by hiding
the network topology.
Any determined attacker can always find ways to get into
your network if it's weak. We'd rather focus energies on
implementing secure router configurations, good operational
practices and proper change management, rather than relying
on obscurity :-).
But, YMMV :-).
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100825/3e6639f8/attachment.bin>
More information about the cisco-nsp
mailing list