Is anyone actually USING IP QoS?

Brett_Watson@enron.net wrote:

i'll give you that. however, caches tend to run under unix-like os's which
are multi-user and multi-service machines. they can be susceptible to DoS
attacks, and can be running services listening on a port which can
potentially be "hacked". my only point is that you are trading a set of
security issues in multicast for *different* security issues with a cache.

A Unix machine can be secured a lot better than any commercial router.

For one, you can get a source code from it and see what the hell it is
doing and fix discovered security holes ASAP.

Second, just run SSH or Kerberos. SSH on cisco, anyone? Nyah.

--vadim

Sure, it's already there, modulo layer 9 restrictions.

-dorian

They (cisco) promised to realise ssh. Hope we'll see it in a few years,
For now, install IPSEC, tunnel, bla-bla-bla, and may be you'll have a
piece of security.

It's amazing but some hacker's scan erased all our 7206 routers onse
(PROM erased withouth any traces of intrusion, and due to accounting it
was some kind of scanning, not more).

Unix machine... drop all services you don't need, run your services not
as the root, install secure level or read-onl.y file system - and no
problems. DoS attacks themself are not a problem in case of right
resource allocation policy (resource is not only memory but sockets,
ports, etc etc).

>attacks, and can be running services listening on a port which can
>potentially be "hacked". my only point is that you are trading a set of
>security issues in multicast for *different* security issues with a cache.

A Unix machine can be secured a lot better than any commercial router.

For one, you can get a source code from it and see what the hell it is
doing and fix discovered security holes ASAP.

Second, just run SSH or Kerberos. SSH on cisco, anyone? Nyah.

--vadim

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)

SSH will debut in IOS 12.0(5)S and 12.0(6)T.

Stephen

     > > Stephen Sprunk, K5SSS, CCIE #3723
    :|: :|: NSA, Network Consulting Engineer
   :|||: :|||: 14875 Landmark Blvd #400; Dallas, TX
.:|||||||:..:|||||||:. Pager: 800-365-4578 / 800-901-6078
C I S C O S Y S T E M S Email: ssprunk@cisco.com