HTTP proxies, was Re: Operational Issues with 69.0.0.0/8...
Michael.Dillon at radianz.com
Michael.Dillon at radianz.com
Mon Dec 9 10:17:24 UTC 2002
> And don't forget about the biggest of them all, open BIND proxies. After
> port 80, port 53 goes through almost as much. A lot of times you don't
> need to hack anything, software comes with relay/proxy/recursion
enabled.
> How do we get software vendors (free, pay, virus) to distribute software
> with appropriate defaults?
Set up the Net Police.
First step, learn from the RBL and other blacklists.
Second step, publish a directory. I.e. detect the non-conforming devices
and publish their IP addresses in an LDAP server.
Third step, use these directories to dynamically configure filters and
ACLs and blackhole routes.
Fourth step, lean on the vendors to make more things dynamically
configurable, i.e. make ACL configuration more like route distribution.
That makes the 3rd step easier and will get more of the corporate
networking people to police their neighborhoods.
Finally, stop raving about how the net police would be bad. They already
exist in the form of many disorganized private net police groups like the
RBL people, spammer blacklists, NANOG mailing list, CIDR report, CERT,
etc. The point is that policing the network itself and the devices that
connect to the network is a good thing and should be done in a coordinated
fashion.
The purpose of publishing stuff using LDAP is because we are not policing
people, we are policing machines therefore we need to talk to them in a
language they can understand, i.e. a network protocol.
And yes, I realize that there are lots of problems with this that need to
be solved and slippery slopes that we have to be wary of, but that is not
a reason for not trying.
--Michael Dillon
More information about the NANOG
mailing list