Infrastructure Filtering (was Re: Patching for Cisco vulnerability)

Christopher L. Morrow chris at UU.NET
Sat Jul 19 02:56:03 UTC 2003



On Sat, 19 Jul 2003, Niels Bakker wrote:

> * chris at UU.NET (Christopher L. Morrow) [Sat 19 Jul 2003, 01:03 CEST]:
> > hrm, what nodes don't run 55/53/77/103? What do? Do you have a list? Could
> > we have it?
>
> I'm sure you know what devices in your network run Mobile IP or Sun ND
> (to paraphrase Randy Bush, you can probably count them on the fingers
>  of your nose).

my nose has many fingers... wait, thats hairs! :) though I do agree... So,
I must apologize for reading your message's intent in reverse.

>
> Router#conf t
> Router(config)#ip receive-acl 10 no-idiocy
>
>
> > Seriously though... the edge networks (as Jared pointed out) should be
> > able to decide what they want to filter and what they don't... perhaps
> > some large ISP would decide you don't want any traffic from 212/8 or
> > perhaps all porn? Or all religious material? You don't want someone
> > deciding what you do and don't get... unless that someone is you :)
>
> That's why I said that transit networks could filter only towards their
> own infrastructure.
>

Agreed, and it does, to some extent... As should anyone elses, eh? It
makes sense that if you have either of the 2 main vendor's products you
can accomplish this task easily and at 'no cost'

>
> > yes... inside my network I know what my loopbacks and links are, inside
> > yours?? No idea... or Jared's or Tim Battles or...
>
> Luckily it's not your responsibility to protect them (only to intervene
> when advised they're under attack, which I've heard you're doing a very
> good job at - but that aside).

We thank you, its a group effort... but as I said above, my apologies,
this current event has me a bit punchy :)



More information about the NANOG mailing list