[c-nsp] CSCuy29638 - MPLS (for IPv4) Brokenness Fixed - ASR920

Adam Vitkovsky Adam.Vitkovsky at gamma.co.uk
Sun Aug 7 02:06:37 EDT 2016 

> Saku Ytti
> Sent: Saturday, August 06, 2016 7:50 PM
>
> On 6 August 2016 at 20:31, Charles Sprickman <spork at bway.net> wrote:
>
> Hey,
>
> > interface loopback0 ip address 10.10.10.101
> >
> > ip ssh listen loopback0
> > ip ntp listen loopback0
> > ip snmp listen loopback0
> >
> > ip access-list mgmt
> >  permit from mgmt-ips to 10.10.10.101
> >  deny from all
> >
> > That seems so much simpler than CoPP and other baroque options to
> > limit management traffic…
>
> Very often management is on-band, so the interface where you'd listen to
> NTP, would be your core interfaces.  If you want to help with volumetric
> attacks, you're going to need CoPP anyhow, so why do two things, if one
> suffices?
>
First of all I'm worried why anyone haven't mention iACLs thus far.
Security works best with a layered approach and having all edge interfaces allowing only BGP and ICMP to talk to your infrastructure IP range is a good start.
CoPP filters are long and complex thus error prone and must allow things you would not want to expose to the whims of the Internet.


> I think you may be envisioning system where there is dedicated
> management interface, and in all other interfaces NTP packets toward
> control-plane are not punted. This intelligence would need to be
This system is called MPP and it's part of LPTS in XR and I miss it so much in other systems.
I hate the idea where any enabled service starts listening on every IP on the box, routers are not servers.


> programmed to hardware by some logic, the hardware forwarding-logic does
> not know what services and protocols you're running, packet will be punted
> and then software decides what do with it.
> To actually protect the platform, you need to put the protection in the
> hardware, prior software evaluation. And there are different solutions for
> different platforms to this, some platforms use CoPP, where user can
> implement ACL between HW and SW, which is good. IOS-XR uses something
> called 'LPTS', which is essentially unconfigurable black-box, but unfortunately
> it is far less safe than well configured CoPP.
My experience is that all the policer values are visible and configurable so nothing black-boxy (and yes they need to be tweaked).

So as I said iACL + MPP + LPTS/CoPP and I can sleep well at night.

adam





        Adam Vitkovsky
        IP Engineer

T:      0333 006 5936
E:      Adam.Vitkovsky at gamma.co.uk
W:      www.gamma.co.uk

This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of this email are confidential to the ordinary user of the email address to which it was addressed. This email is not intended to create any legal relationship. No one else may place any reliance upon it, or copy or forward all or any of it in any form (unless otherwise notified). If you receive this email in error, please accept our apologies, we would be obliged if you would telephone our postmaster on +44 (0) 808 178 9652 or email postmaster at gamma.co.uk

Gamma Telecom Limited, a company incorporated in England and Wales, with limited liability, with registered number 04340834, and whose registered office is at 5 Fleet Place London EC4M 7RD and whose principal place of business is at Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY.
---------------------------------------------------------------------------------------
 This email has been scanned for email related threats and delivered safely by Mimecast.
 For more information please visit http://www.mimecast.com
---------------------------------------------------------------------------------------

More information about the cisco-nsp mailing list