[c-nsp] How secure ASR management interface is?
adamv0025 at netconsultings.com
adamv0025 at netconsultings.com
Sun Apr 21 07:28:14 EDT 2019
> From: Charles Sprickman <spork at bway.net>
> Sent: Saturday, April 20, 2019 7:29 PM
>
>
> > On Apr 20, 2019, at 9:49 AM, Alex K. <nsp.lists at gmail.com> wrote:
> >
> > Hello Dave,
> >
> > Thank you.
> >
> > Sure, it isn't *really* separated. After all, RPs' CPU connected to
> > both (management interface and router forwarding matrix). It's really
> > software imposed separation.
>
> I’m always a bit puzzled by the design choices and how long they’ve stayed
> around. Back in 10.3 I got it - nobody cared about this, you just access-list
> everything and hope you didn’t miss some service. And now it seems
> essentially the same. Why the command shell wouldn’t be bound to a single
> IP (or a defined list of IPs) as part of the isolation is beyond me. The fact that
> if I have 200 interfaces configured with an IP that the shell process (and
> snmp, and ntp and whatever else is running) listens on those IPs is just
> insane.
>
> I’m a bit of a dinosaur, so maybe in the new versions this has changed, but as
> of the last time I really paid attention to IOS they were still in the 90’s as far as
> keeping the management processes separate.
>
>
Yup that's beyond me too, would like to understand the thought process...
But at least in XR you have an easy way of limiting what service listens on what physical interfaces. Still waiting for the rest of NOS-es to catch up...
adam
More information about the cisco-nsp
mailing list