Providers removing blocks on port 135?
Justin Shore
listuser at numbnuts.net
Fri Sep 19 17:30:42 UTC 2003
On Fri, 19 Sep 2003, Matthew Kaufman wrote:
>
> I agree entirely with this. You shouldn't call yourself an ISP unless you
> can transport the whole Internet, including those "bad Microsoft ports",
> between the world and your customers.
I disagree. In my opinion a NSP shouldn't filter traffic unless one of
its customers requests it. However I strongly believe that an ISP (where
it's customers are Joe Blow average citizen and Susy Homemaker) should
take every reasonable step to protect it's users from malicious traffic
and that includes filtering ports. For example I have no reservation
about NATing basic dialup users. I also have no problem with filtering
ports for services they shouldn't be running on a dialup connection (HTTP,
FTP, DNS) or for services that IMHO have no business on the public
internet (including every single Microsoft port I can identify). To not
do so is IMHO to run a network in an extremely negligent manner.
We do this very thing with email. We filter known malicious messages,
attachments, and spam from email. I don't think there's a reasonable
person among us that can complain about that. Why not do it to network
traffic then? If we should allow every bit of traffic to pass unmolested
by ACLs then we should allow all email to pass by unmolested by anti-virus
and spam checks. It's a two-way street.
> On the other hand, what's a provider to do when their access hardware can't
> deal with a pathological set of flows or arp entries? There isn't a good
> business case to forklift out your DSLAMs and every customer's matching CPE
> when a couple of ACLs will fix the problem. For that matter, there isn't a
> very good business case for transporting Nachi's ICMP floods across an
> international backbone network when you can do a bit of rate-limiting and
> cut your pipe requirements by 10-20%.
A good point.
Justin
More information about the NANOG
mailing list