Providers removing blocks on port 135?

Sean Donelan sean at donelan.com
Sat Sep 20 19:36:40 UTC 2003


Has anyone else notice the flip-flops?

To prevent spam providers should block port 25.

If providers block ports, e.g. port 135, they aren't providing access to
the "full" Internet.




Should any dialup, dsl, cable, wi-fi, dhcp host be able to use any service
at any time?  For example run an SMTP mailer, or leave Network
Neighborhood open for others to browse or install software on their
computers?

Or should ISPs have a "default deny" on all services, and subscribers need
to call for permitssion if they want to use some new service?  Should new
services like Voice over IP, or even the World Wide Web be blocked by
default by service providers?


As a HOST requirement, I think all hosts should be "client-only" by
default.  That includes things when acting as like hosts such as routers,
switches, print servers, file servers, UPSes.  If a HOST uses a
network protocol for local host processes (e.g. X-Windows, BIFF, Syslog,
DCE, RPC) by default it should not accept network connections.

It should require some action, e.g. the user enabling the service,
DHCP-client enabling it in a profile, clicking things on the LCD display
on the front ofthe printer, etc.

If the device is low-end and only has a network connection (e.g. no
console), it may have a single (i.e. telnet or web; but not both)
management protocol enabled provided it includes a default password which
can not be discovered from the network (i.e. not the MAC address), is
different for each device (i.e. not predictable), and is only accessiable
from the "local" network (e.g. the "internal" subnet interface).  A
"proprietary" protocol is not an adequate substitute. Static passwords are
inherently insecure if you get enough guesses, so the device should block
use of the default password after N failed attempts until the device is
manually reset.  I recognize this is a potential denial of service, and
for non-default passwords vendors may decide to do something else.  But
if the user hasn't changed the default password; they probably aren't
using it anyway.



SERVICE PROVIDERS do not enforce host requirements.






More information about the NANOG mailing list