[14021] in North American Network Operators' Group
Re: Advisory - tunneling of IP at exchange points.
daemon@ATHENA.MIT.EDU (Lyndon Levesley)
Tue Nov 25 11:38:33 1997
To: "Neil J. McRae" <neil@domino.org>
cc: nanog@merit.edu
Reply-to: lol@gxn.net
From: Lyndon Levesley <lol@gxn.net>
In-reply-to: Your message of "Tue, 25 Nov 1997 15:53:28 GMT."
<199711251553.PAA10869@genesis.DOMINO.ORG>
Date: Tue, 25 Nov 1997 16:14:16 +0000
>>>>> On Tue, 25 Nov 1997 at around 15:53:28,
>>>>> "NJM" == Neil J. McRae penned:
NJM> On Tue, 25 Nov 1997 14:47:22 +0000 (GMT)
NJM> Paul Thornton <prt@linx.net> wrote:
+> The LINX and several of its members have recently had to take action
+> against an ISP that was using GRE tunneling between exchange points
+> to appropriate the capacity of other ISPs.
NJM> Hmm unfortuntely for us GRF owners it seems that filterd cannot deal
NJM> with filter this. Joy! I wonder how many months for a fix!?
Neil,
With a bit of effort, you could
a) allow valid traffic sourced from a NAP address
b) deny any other traffic with a NAP source addr
couldn't you ?
e.g.
[ inbound at ME ]
(in pseudo ACL :)
! Allow ping, trace etc. to work in and out
permit src=192.41.177.0/24 proto=(icmp, echo-request OR echo-reply OR
unreachable, ttl-exceed ... etc.)
! oh, and BGP
permit src=192.41.177.0/24 proto=(tcp, 179)
! horrible way to allow people to traceroute in from their NAP routers
permit src=192.41.177.0/24 proto=(udp, port>30000)
!
! Some other stuff I can't be bothered to think of here
!
deny src=192.41.177.0/24
As, in general, you shouldn't see many types of traffic into you
with a source address of a NAP router. I know it's possible that
people might want to telnet to one of your SMTP ports from their
Mae-East router but it ain't very likely ;)
[ I'm assuming that the problem is you can't say "deny proto=0x2f" or
similar ? ]
NJM> Neil.
Cheers,
Lyndon
--
Penis Envy is a total Phallusy.
