[c-nsp] Protecting a sup2/msfc2 in 2010: CoPP the "hard way"

[Anton Kapela]

On Mar 21, 2010, at 2:29 PM, Dobbins, Roland wrote:

>> I also argue that maintaining a flattened-out input ACL blocking packets to receive adjacencies puts the engineering effort-required slider up a few notches; I appreciate the clean/simple nature of CoPP and dislike loading up ACL cam, per port, with repetitive filters, across all or most port

Yup, I typed that one ;) I've never been so much on the opposing side to another opinion:

>> From my standpoint, it's a whole lot *easier* to generate an iACL than making use of the HWRL (or using CoPP), and it only has to be applied to edge interfaces on edge boxes, nowhere else.  And it's the same on every box, irrespective of platform.  The only prerequisite is a rational, summarizable IP addressing plan for one's loopbacks and p2p interfaces

I am also concerned with the sources of "attack bits" which are located on or within the network/AS -- iACL at borders makes plenty of sense, but what about the rest of the interfaces & platforms within it?

-Tk