Managing ACL exceptions (was Re: Filter NTP traffic by packet size?)
Keegan Holley
no.spam at comcast.net
Fri Feb 28 01:57:14 UTC 2014
It depends on how many customers you have and what sort of contract you have with them if any. A significant amount of attack traffic comes from residential networks where a “one-size-fits-all” policy is definitely best.
On Feb 26, 2014, at 4:01 PM, Jay Ashworth <jra at baylink.com> wrote:
> ----- Original Message -----
>> From: "Brandon Galbraith" <brandon.galbraith at gmail.com>
>
>> On Wed, Feb 26, 2014 at 6:56 AM, Keegan Holley <no.spam at comcast.net>
>> wrote:
>>> More politely stated, it’s not the responsibility of the operator to
>>> decide what belongs on the network and what doesn’t. Users can run any
>>> services that’s not illegal or even reuse ports for other
>>> applications.
>
>> Blocking chargen at the edge doesn't seem to be outside of the realm
>> of possibilities.
>
> All of these conversations are variants of "how easy is it to set up a
> default ACL for loops, and then manage exceptions to it?".
>
> Assuming your gear permits it, I don't personally see all that much
> Bad Actorliness in setting a relatively tight bidirectional ACL for
> Random Edge Customers, and opening up -- either specific ports, or
> just "to a less-/un-filtered ACL" on specific request.
>
> The question is -- as it is with BCP38 -- *can the edge gear handle it*?
>
> And if not: why not? (Protip: because buyers of that gear aren't
> agitating for it)
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth Baylink jra at baylink.com
> Designer The Things I Think RFC 2100
> Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
> St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
>
More information about the NANOG
mailing list