[nsp-sec] creative lying
John Fraizer
john at op-sec.us
Tue Sep 2 16:45:28 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
And to add to that, it's quite a task to update the interface config on thousands on customer-agg routers to add urpf.
It's been an ongoing project for me for going on 2 years here at the "new" gig and it has not been without its trials.
John
Smith, Donald wrote:
> ----------- nsp-security Confidential --------
>
> No problem at all except who owns/manages the CPE (customer provided
> equipment) and what is their payout for doing this?
>
> I agree its a good idea how do we get our customers to perform that
> filtering?
> In many cases the guy setting up an enterprises router has never heard
> of cymru or seen cisco's security blue prints or read a juniper manual
> about security. They simply want to router to work and once it begins
> working they leave it alone.
>
>
>
> Security through obscurity WORKS against some worms and ssh attacks:)
> Donald.Smith at qwest.com giac
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Alfredo Sola
>> Sent: Tuesday, September 02, 2008 11:48 AM
>> To: nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] creative lying
>>
>> ----------- nsp-security Confidential --------
>>
>>
>>> thing works at all because so few people use/deploy/maintain BCP-38
>>> compliance. This was an eye-opener for me.
>> http://www.caida.org/workshops/wide/0808/slides/measuring_reve
>> rse_paths.pdf
>>
>> I've been wondering for years, what is so complicated
>> about not letting
>> spoofed packets out of CPE routers? Even at an aggregation level my
>> experience is that it creates no issues at all, and it does
>> eliminate a
>> source of potential (but all too often very real) trouble. Plus, it's
>> not anything even remotely complicated to deploy; in Cisco-land, it's
>> one sentence per interface - easily added to a template (such as Team
>> Cymru's excellent reference secure templates, which do have it).
>>
>> Perhaps this one is for -discuss.
>>
>> --
>> Alfredo Sola
>> ASP5-RIPE
>> http://alfredo.sola.es/
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> _______________________________________________
>>
>>
>
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful. If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with PCLinuxOS - http://enigmail.mozdev.org
iD8DBQFIvaXo+16lRpJszIgRAswyAJ9tKXbtL7WC7COnnMi2M12D45y2XACePWEa
eI/AV/TIz3kKU3H6SR/bfH8=
=Ur9m
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list