Managing ACL exceptions (was Re: Filter NTP traffic by packet size?)
Jay Ashworth
jra at baylink.com
Wed Feb 26 21:01:50 UTC 2014
----- Original Message -----
> From: "Brandon Galbraith" <brandon.galbraith at gmail.com>
> On Wed, Feb 26, 2014 at 6:56 AM, Keegan Holley <no.spam at comcast.net>
> wrote:
> > More politely stated, it’s not the responsibility of the operator to
> > decide what belongs on the network and what doesn’t. Users can run any
> > services that’s not illegal or even reuse ports for other
> > applications.
> Blocking chargen at the edge doesn't seem to be outside of the realm
> of possibilities.
All of these conversations are variants of "how easy is it to set up a
default ACL for loops, and then manage exceptions to it?".
Assuming your gear permits it, I don't personally see all that much
Bad Actorliness in setting a relatively tight bidirectional ACL for
Random Edge Customers, and opening up -- either specific ports, or
just "to a less-/un-filtered ACL" on specific request.
The question is -- as it is with BCP38 -- *can the edge gear handle it*?
And if not: why not? (Protip: because buyers of that gear aren't
agitating for it)
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
More information about the NANOG
mailing list