> > If any box is on the public Internet without management plane protection, > you're going to be compromised. Sure, some may be faster than others, but > that doesn't excuse you from rudimentary protections.
If you can't do control plane protection on a device, you should yeet it into the sun, even on an internal network. Lateral movement is a thing. On Mon, Feb 9, 2026 at 1:57 PM Mike Hammett via NANOG <[email protected]> wrote: > I'd consider that a bad-faith argument. > > "What if there is no control/management plane protection to the device?" > > If any box is on the public Internet without management plane protection, > you're going to be compromised. Sure, some may be faster than others, but > that doesn't excuse you from rudimentary protections. > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > ----- Original Message ----- > From: "Barry Greene" <[email protected]> > To: "North American Network Operators Group" <[email protected]> > Cc: "Mike Hammett" <[email protected]> > Sent: Monday, February 9, 2026 12:53:14 PM > Subject: Re: Router Recommendations > > Hi Mike, > > Where are your security requirements? What is the worth of a router today > if you put an v6 ACL on it and you drop all your packets to the punt path? > What if you cannot get Netflow/IPFIX/sFlow running at a sample rate with > export that does not blogged down the control/management plane? What if > there is no control/management plane protection to the device? > > Remember, the are a whole class of threat actors that LOVE Mikrotik’s > success. It gives them more boxes to ‘own' and use with minimal operational > impact to the operator. > > Barry > > > On Feb 10, 2026, at 06:10, Mike Hammett via NANOG <[email protected]> > wrote: > > > > I'm looking for new BGP routers. I'm currently running Mikrotik, which > has served me well so far, but looking at interface speed, count, FIB size, > etc. and they just aren't going to cut it. > > > > I'm looking for: > > • Has at least 6x 100G ports > > • Has a smattering of 10G/25G ports > > • Has meaningful packet buffers > > • Routes in hardware at least 2m routes combined of IPv4 and IPv6, more > is better > > • Has reasonably low power usage, I don't need 1 kw going to a router > > • Is cost-effective > > • Used is fine > > > > > > I like how the MX301 looks, but it's way more than I'd want to spend, > primarily because there really isn't a used market for them yet. > > Arista and Cisco NCS are close, but to check all of the boxes, you're up > to about $15k - $20k. To get to $5k or less, you're compromising on at > least two of the things I'm looking for. > > EdgeCore and UfiSpace may have some models that are in the $5k - $8k > range, once you purchase OcNOS. > > > > > > I'd have no problem with the EdgeCore and UfiSpace direction, but I > wanted to make sure I wasn't leaving anything out of consideration. > > > > > > > > ----- > > Mike Hammett > > Intelligent Computing Solutions > > http://www.ics-il.com > > > > Midwest-IX > > http://www.midwest-ix.com > > > > _______________________________________________ > > NANOG mailing list > > > https://lists.nanog.org/archives/list/[email protected]/message/ANH4UUU6K3CMCSWSBHAALWTYLHK32OGG/ > > > > _______________________________________________ > NANOG mailing list > > https://lists.nanog.org/archives/list/[email protected]/message/UW2FQIME6LQJU5PAOWC3AGWSEYO4USK4/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/5SPTR43TICE2H4VBEE2MSMDRGJYQNPJD/
