On Wed, 1 Mar 2006, David Nolan wrote:
Yeah, but it's not near as fun as dynamic acls updated via a script
monitoring flow logs in real-time. It's definitely easier to implement,
though.
Interesting... Thats actually basically what we were doing before, but
phased out in favor of the URPF & host routes approach. We felt the URPF
approach was much cleaner, and more efficient. A routing table lookup is
more efficient then a acl processing, particulary if you have significant
numbers of rou and solved some problems we were having. It also solved some
issues we had, including keeping dynamic acls synchronized betwen two
redundant routers (HSRP pairs and/or redundant border routers).
I think when he said fun, he meant 'masochistic and nerve wracking, in a
vaguely entertaining because we have scripts issuing and removing ACLs
from our routing core kind of way.' I've built reactive firewalls before,
but even I'd be leery of a reactive ACL implementation. /32 null route
injection is far far easier to manage. =)
- billn
