[171752] in North American Network Operators' Group
Re: level3 dia egress filtering?
daemon@ATHENA.MIT.EDU (Ca By)
Mon May 12 22:02:37 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <Pine.LNX.4.64.1405121845520.19244@whammy.cluebyfour.org>
Date: Mon, 12 May 2014 19:02:28 -0700
From: Ca By <cb.list6@gmail.com>
To: "Justin M. Streiner" <streiner@cluebyfour.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On May 12, 2014 6:53 PM, "Justin M. Streiner" <streiner@cluebyfour.org>
wrote:
>
> On Mon, 12 May 2014, Bob Evans wrote:
>
>> Ahh, Yep, same thing port and/or protocol for an address range. I
haven't
>> seen that accomplished via BGP. I know ATT will do it - they want about
2K
>> more per month for that ability. All your traffic is redirected (extra
>> hops ) through a firewall. So, it's a basic expensive firewall service.
>>
>> We have done both port based and protocol. But it gets installed by hand
>> only on the connected port the customer.
>
>
> From what I've seen, most of the major carriers don't filter traffic
outside of truly exceptional circumstances, or it's treated as a revenue
source. If it's offered at all, it's often priced unattractively, because
carriers often don't want to be in the firewall/port-filtering business.
>
> jms
All my providers provide me incident response that includes rtbh as well as
ACL and in some cases protocol rate limiting. ACL may take a while working
the phone, but rtbh is immediate.
I substanilly decreased business with at&t since they do not offer rtbh.
Rtbh is really the floor on security features, and at&t is below the floor.
CB
