On 3/24/10 1:29 AM, Daniel Dib wrote:
On 3/24/10 01:33 Dunn, Rodney wrote
I didn't want to plug for myself so thanks. ;)...as we are going to
present the OPSEC WG in about 10 minutes at IETF. ;)
In this draft we want to raise the awareness of protecting the control
plane and give a simplistic and minimalistic example. No two deployments
are the same so it's critical they be tested and constantly evaluated
for changes needed which is why we kept it somewhat general.
Rodney
Hi Rodney,
I think it's great that someone is writing a BCP for policing of the
control-plane. I have some questions about the design of the policy. In the
policy you drop everything in class class-default which won't allow IS-IS. I
know you don't run this in your setup but since people might use your policy
maybe you should mention this.
;)..it was a typo on the conform on my part. It's already slated for
correction in rev -03.
I also whonder why you don't rate-limit any
of the other classes. If your IGP or SNMP-server goes berserk it could have
serious affect on the control-plane of the router.
The huge challenge we have is we wanted to expose new/mid level
operators to the concept without losing them in complexity. That's why
we chose to show the filter on the subnet for a known peer..although we
all know that could be spoofed, go "berserk" ;). We will have to go
through some more iterations but we were persistent that we don't want
to go in to a configuration where someone would think they could just
cut and paste to the router.
I suppose that you did
not do any tests on the mls rate-limiters?
That was too vendor specific for the draft.
I feel those are the hardest to
come up with good values for. 2 Mbit of ICMP seems like a bit of overkill
but the router can handle it so it's not really a big issue, I usually
divide my ICMP in "trusted" ICMP and untrusted ICMP though.
Good point. It's all in how granular you go.
Rodney
/Daniel
On 3/23/10 4:01 PM, Buhrmaster, Gary wrote:
Can there really *BE* a best practices for the 6500 when you either can't
configure a drop action in your default, or you risk
rate-limiting/dropping
ARP gleans?
Well, here is some guidance for CoPP, authored by
a number of people from Cisco and Juniper:
http://tools.ietf.org/html/draft-dugal-opsec-protect-control-plane-02
As always, YMWV.
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
