On Thu, 8 Oct 1998, Craig Anderson wrote:
The main aim of the experiment was to consider
ways that Citylink
connected organisations with BGP capable routers but without AS numbers
might exchange routing data, so that they can send data directly between
each other, without having to go through one (or several) ISP routers.
Don't ICMP redirects handle this just fine? There are legitimate security
reasons for disabling these, but has anyone actually disabled them, or
asked clients to disable them?
My observation is that most of the routers seemed to have ICMP disabled -
certainly most mf my traffic seems to bounce around between multiple
routers. I would guess that most people have ICMP turned off because
of the various ICMP DOS attacks of the last year, not necessarily because
they regard redirects as a bad idea. That coupled with the vociferous
distate for ICMP redirects expressed by various ISP's in the last year,
and I didn't really consider them as an option.
I've never really had the feeling that anyone was
very concerned about
security on Citylink (i could be wrong) anyway.
<grin> that's a slur! We are reasonably keen on security, but contrawise,
we haven't got the resources to fix some of the security problems we
perceive, without significantly increasing user charges. As you say,
however, we (Citylink) don't take responsibility for the security of users
of the shared ethernet - as Richard would say, footpaths (another good
example of a shared media :-) aren't safe either, but you still use them.
CNHL's motto could be "we provide the footpath, you get yourself mugged".
If we have ICMP redirects do we actually need BGP
between anyone except
ISPs and other multiply connected organisations?
No, we wouldn't need BGP if we used ICMP, but ICMP just doesn't seem like
a good idea to me.
Can't we use layer 3 ethernet switches (and
possibly monitoring) to
greatly improve security in general, lessen the risks with responding
to ICMP redirects, and thus address this issue much more easily?
Not really, for a couple of reasons:
1) Citylink don't have layer three ethernet switches yet, and until they
drop in price we are unlikely to aquire same (but I have been gently
pushing for Citylink to do an evaluation of different available product).
2) ICMP redirects are implicitly only useful on a shared media, where
everybody can see everybody else. I'd prefer to see a more media/topology
independant system where we can cater for users on ATM, and for Citylink
to expand to having MAN's in other areas that are routed together.
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads: