While we were crafting the first COPP draft for OPSEC we did have a lot
of debate about how/if/when we could couple COPP with iACL's. Our
decision was to keep it minimalistic and simplistic to "Router Control
Plane Protection" aka: COPP for the illustration.
I was thinking that a good iACL Informational would be good and it was
mentioned in the WG meeting last night again.
I saw this:
http://tools.ietf.org/wg/opsec/draft-ietf-opsec-infrastructure-security/
I'm not sure why it didn't move further. I'll see what I can find out.
Rodney
On 3/24/10 10:13 AM, Gert Doering wrote:
Hi,
On Wed, Mar 24, 2010 at 01:18:47PM +0000, Dobbins, Roland wrote:
Note that the default gateway will be drawn from the access netblockss, not the
infrastructure netblocks covered by the iACL.
Now we're talking. I assumed that you wanted to include *all* IP addresses
configured on routers in the iACL - and that's quite impractical.
... and this is why I want "properly-implemented" rACLs and/or CoPP, to
protect those IP addresses that can't be put in iACLs.
gert
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
