Customer-facing ACLs
Robert Beverly
rbeverly at rbeverly.net
Fri Mar 7 20:35:27 UTC 2008
On Fri, Mar 07, 2008 at 01:55:05PM -0600, Justin Shore wrote:
> What kind of customer-facing filtering do you do (ingress and egress)?
> This of course is dependent on the type of customer, so lets assume
> we're talking about an average residential customer.
...
As part of a recent measurement project, we estimate the prevalence
of ingress and egress blocking (though under the guise of neutrality).
For customer facing filters, we leverage protocols which provide
port-specific redirects, e.g. HTTP, Gnutella, etc. For traffic
toward customers, we use port-specific tcptraceroutes. Some published
data for the curious:
http://ana.csail.mit.edu/rsp/
Reader's digest summary: NetBIOS ports (and the innocent profile
service) 135-139 are among the most frequently blocked, along
with SMTP, POP3 and filters that have stuck around due to various
worms such as MS-SQL. That said, around 94% of the 16bit port
space was unblocked by any network.
Curious to other's answer to this high-level question -- and the
more mundane question of filter maintenance.
rob
More information about the NANOG
mailing list