[c-nsp] Looking-glass software?

Dragan Jovicic draganj84 at gmail.com
Thu May 18 17:42:16 EDT 2017


For what its worth, we use OpenBGP's LG on OpenBSD. It peers "read-only"
with our Internet Gateway routers and Route Reflectors.

Advantages:
- Probably one of, if not the most secure solution.
- No logging at all on routers themselves.
- By simple deduction you get to see the best active route on all routers.

Disadvantages:
- You don't get to see all routes on all routers.
- You can't traceroute or ping from each routers (since you don't log to
these routers).

Disadvantages are not a big deal as we use other tools a well.

Another solution is to virtualize these servers, one per router, to get
even better view.

So far, no complaints. I like it runs on OpenBSD to be honest.

BR,

+Dragan

On Thu, May 18, 2017 at 9:08 PM, Saku Ytti <saku at ytti.fi> wrote:

> On 18 May 2017 at 21:47, Patrick M. Hausen <hausen at punkt.de> wrote:
> > I am in no way planning to make this public. We have had routerproxy in
> > place as a convenient tool for our own admins, specifically the ones who
> > are not IOS gurus and just want to look up stuff, not configure the
> systems.
>
> I get that, but you shouldn't use system() or back-ticks ever,
> regardless security posture. Because it is 0 cost to do this right
> (e.g. popen) versus wrong, so you have no upside on the wrong way.
> Also, you may intend it internal use only, but then you leave the
> company, and customer RFP mandates looking glass, and fastest way to
> do it, is to expose the NOC tool to customer.
>
> --
>   ++ytti
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list