[169434] in North American Network Operators' Group
Managing ACL exceptions (was Re: Filter NTP traffic by packet size?)
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Wed Feb 26 16:02:27 2014
Date: Wed, 26 Feb 2014 16:01:50 -0500 (EST)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <CADE4tYXj30DeXS2-Jr1m87JGTB=xTbYVZTje-RvtWoB903jcPA@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> From: "Brandon Galbraith" <brandon.galbraith@gmail.com>
> On Wed, Feb 26, 2014 at 6:56 AM, Keegan Holley <no.spam@comcast.net>
> wrote:
> > More politely stated, it=E2=80=99s not the responsibility of the operat=
or to
> > decide what belongs on the network and what doesn=E2=80=99t. Users can =
run any
> > services that=E2=80=99s not illegal or even reuse ports for other
> > applications.
> Blocking chargen at the edge doesn't seem to be outside of the realm
> of possibilities.
All of these conversations are variants of "how easy is it to set up a
default ACL for loops, and then manage exceptions to it?".
Assuming your gear permits it, I don't personally see all that much=20
Bad Actorliness in setting a relatively tight bidirectional ACL for
Random Edge Customers, and opening up -- either specific ports, or
just "to a less-/un-filtered ACL" on specific request.
The question is -- as it is with BCP38 -- *can the edge gear handle it*?
And if not: why not? (Protip: because buyers of that gear aren't=20
agitating for it)
Cheers,
-- jra
--=20
Jay R. Ashworth Baylink jra@baylink.=
com
Designer The Things I Think RFC 2=
100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover =
DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1=
274
