[c-nsp] CSCuy29638 - MPLS (for IPv4) Brokenness Fixed - ASR920

Saku Ytti saku at ytti.fi
Sat Aug 6 14:49:39 EDT 2016


On 6 August 2016 at 20:31, Charles Sprickman <spork at bway.net> wrote:

Hey,

> interface loopback0 ip address 10.10.10.101
>
> ip ssh listen loopback0
> ip ntp listen loopback0
> ip snmp listen loopback0
>
> ip access-list mgmt
>  permit from mgmt-ips to 10.10.10.101
>  deny from all
>
> That seems so much simpler than CoPP and other baroque options to limit
> management traffic…

Very often management is on-band, so the interface where you'd listen
to NTP, would be your core interfaces.  If you want to help with
volumetric attacks, you're going to need CoPP anyhow, so why do two
things, if one suffices?

I think you may be envisioning system where there is dedicated
management interface, and in all other interfaces NTP packets toward
control-plane are not punted. This intelligence would need to be
programmed to hardware by some logic, the hardware forwarding-logic
does not know what services and protocols you're running, packet will
be punted and then software decides what do with it.
To actually protect the platform, you need to put the protection in
the hardware, prior software evaluation. And there are different
solutions for different platforms to this, some platforms use CoPP,
where user can implement ACL between HW and SW, which is good. IOS-XR
uses something called 'LPTS', which is essentially unconfigurable
black-box, but unfortunately it is far less safe than well configured
CoPP.

Unix analog breaks because there is (yet) no way to protect it in
hardware, everything is punt. But perhaps with linux nftables, we
could implement the state-machine in NIC HW in future. So I suspect
linux will come closer to SP router in this respect, rather than other
way around.


-- 
  ++ytti


More information about the cisco-nsp mailing list