So, by accepting routes from CPE you create a huge security
vulnerability
for your customers, and other parties. This practice was understood
as a
very bad network engineering for decades.
Is there someplace I can find tidbits of information like this? I
haven't been alive decades so I must have missed that memo. Other than
this list I don't know where to find anyone with lots of experience
working for a service provider.
1) for single-homed sites use static routing, period. Dynamic routing
does not add anything useful in this case (if circuit is down, it's
down,
there are no alternative ways to reach the customer's network).
I agree, and all the feedback I've gotten should help me convince my
peers.
The "convinience" of having to configure only CPE box is no excuse.
Invest
some resources in a rather trivial configuration management system,
which
keeps track of what network addresses were allocated to which
customer,
and produces corresponding bits of router configuration automatically.
Most respectable ISPs did that long time ago. That will also reduce
your
tech support costs.
I've never heard of software like that. Do you have a recommended
vendor? Is it typically developed in house?
PS. They should really require a test in "defensive networking" before
letting anyone to touch provider's routers...
What can I say, I must work cheap!
