[169473] in North American Network Operators' Group
Re: Managing ACL exceptions (was Re: Filter NTP traffic by packet
daemon@ATHENA.MIT.EDU (Keegan Holley)
Thu Feb 27 20:59:42 2014
From: Keegan Holley <no.spam@comcast.net>
In-Reply-To: <32090960.10160.1393448510556.JavaMail.root@benjamin.baylink.com>
Date: Thu, 27 Feb 2014 20:57:14 -0500
To: Jay Ashworth <jra@baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
It depends on how many customers you have and what sort of contract you =
have with them if any. A significant amount of attack traffic comes =
from residential networks where a =93one-size-fits-all=94 policy is =
definitely best.
On Feb 26, 2014, at 4:01 PM, Jay Ashworth <jra@baylink.com> wrote:
> ----- Original Message -----
>> From: "Brandon Galbraith" <brandon.galbraith@gmail.com>
>=20
>> On Wed, Feb 26, 2014 at 6:56 AM, Keegan Holley <no.spam@comcast.net>
>> wrote:
>>> More politely stated, it=92s not the responsibility of the operator =
to
>>> decide what belongs on the network and what doesn=92t. Users can run =
any
>>> services that=92s not illegal or even reuse ports for other
>>> applications.
>=20
>> Blocking chargen at the edge doesn't seem to be outside of the realm
>> of possibilities.
>=20
> All of these conversations are variants of "how easy is it to set up a
> default ACL for loops, and then manage exceptions to it?".
>=20
> Assuming your gear permits it, I don't personally see all that much=20
> Bad Actorliness in setting a relatively tight bidirectional ACL for
> Random Edge Customers, and opening up -- either specific ports, or
> just "to a less-/un-filtered ACL" on specific request.
>=20
> The question is -- as it is with BCP38 -- *can the edge gear handle =
it*?
>=20
> And if not: why not? (Protip: because buyers of that gear aren't=20
> agitating for it)
>=20
> Cheers,
> -- jra
> --=20
> Jay R. Ashworth Baylink =
jra@baylink.com
> Designer The Things I Think =
RFC 2100
> Ashworth & Associates http://www.bcp38.info 2000 Land =
Rover DII
> St Petersburg FL USA BCP38: Ask For It By Name! +1 727 =
647 1274
>=20
