[102903] in North American Network Operators' Group
Re: Customer-facing ACLs
daemon@ATHENA.MIT.EDU (Robert Beverly)
Fri Mar 7 15:56:07 2008
Date: Fri, 7 Mar 2008 15:35:27 -0500
From: Robert Beverly <rbeverly@rbeverly.net>
To: Justin Shore <justin@justinshore.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <47D19D99.9000408@justinshore.com>
Errors-To: owner-nanog@merit.edu
On Fri, Mar 07, 2008 at 01:55:05PM -0600, Justin Shore wrote:
> What kind of customer-facing filtering do you do (ingress and egress)?
> This of course is dependent on the type of customer, so lets assume
> we're talking about an average residential customer.
...
As part of a recent measurement project, we estimate the prevalence
of ingress and egress blocking (though under the guise of neutrality).
For customer facing filters, we leverage protocols which provide
port-specific redirects, e.g. HTTP, Gnutella, etc. For traffic
toward customers, we use port-specific tcptraceroutes. Some published
data for the curious:
http://ana.csail.mit.edu/rsp/
Reader's digest summary: NetBIOS ports (and the innocent profile
service) 135-139 are among the most frequently blocked, along
with SMTP, POP3 and filters that have stuck around due to various
worms such as MS-SQL. That said, around 94% of the 16bit port
space was unblocked by any network.
Curious to other's answer to this high-level question -- and the
more mundane question of filter maintenance.
rob
