Hi Craig On Thu, 8 Oct 1998, Craig Anderson wrote:
Hi.
The main aim of the experiment was to consider ways that Citylink connected organisations with BGP capable routers but without AS numbers might exchange routing data, so that they can send data directly between each other, without having to go through one (or several) ISP routers.
Don't ICMP redirects handle this just fine? There are legitimate security reasons for disabling these, but has anyone actually disabled them, or asked clients to disable them?
My observation is that most of the routers seemed to have ICMP disabled - certainly most mf my traffic seems to bounce around between multiple routers. I would guess that most people have ICMP turned off because of the various ICMP DOS attacks of the last year, not necessarily because they regard redirects as a bad idea. That coupled with the vociferous distate for ICMP redirects expressed by various ISP's in the last year, and I didn't really consider them as an option.
I've never really had the feeling that anyone was very concerned about security on Citylink (i could be wrong) anyway.
<grin> that's a slur! We are reasonably keen on security, but contrawise, we haven't got the resources to fix some of the security problems we perceive, without significantly increasing user charges. As you say, however, we (Citylink) don't take responsibility for the security of users of the shared ethernet - as Richard would say, footpaths (another good example of a shared media :-) aren't safe either, but you still use them. CNHL's motto could be "we provide the footpath, you get yourself mugged".
If we have ICMP redirects do we actually need BGP between anyone except ISPs and other multiply connected organisations?
No, we wouldn't need BGP if we used ICMP, but ICMP just doesn't seem like a good idea to me.
Can't we use layer 3 ethernet switches (and possibly monitoring) to greatly improve security in general, lessen the risks with responding to ICMP redirects, and thus address this issue much more easily?
Not really, for a couple of reasons: 1) Citylink don't have layer three ethernet switches yet, and until they drop in price we are unlikely to aquire same (but I have been gently pushing for Citylink to do an evaluation of different available product). 2) ICMP redirects are implicitly only useful on a shared media, where everybody can see everybody else. I'd prefer to see a more media/topology independant system where we can cater for users on ATM, and for Citylink to expand to having MAN's in other areas that are routed together. Cheers Si --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog