[46016] in North American Network Operators' Group
Re: Telco's write best practices for packet switching networks
daemon@ATHENA.MIT.EDU (Joe Abley)
Thu Mar 7 17:18:22 2002
Date: Thu, 7 Mar 2002 17:15:06 -0500
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v481)
Cc: "Steven M. Bellovin" <smb@research.att.com>,
"Christopher L. Morrow" <chris@UU.NET>, Ron da Silva <ron@aol.net>,
<nanog@merit.edu>
To: Sean Donelan <sean@donelan.com>
From: Joe Abley <jabley@automagic.org>
In-Reply-To: <Pine.GSO.4.40.0203071618090.25551-100000@clifden.donelan.com>
Message-Id: <C7BBB3D5-3218-11D6-9CE9-00039312C852@automagic.org>
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
On Thursday, March 7, 2002, at 04:37 , Sean Donelan wrote:
> My comment was originally prompted by the meeting minutes which
> reported on the survey data showing that 100% of carriers are
> implementing
> firewalls in their gateways. The 100% is what caught my eye. As the
> topic comes up in various places, large ISPs repeatedly say they are
> unable to implement filters or packet screening on their high-speed
> links such as at peering points.
How recently are ISPs repeatedly saying this? Packet filtering on
high-speed optical interfaces has been possible for some time, depending
on your router vendor, for some value of "packet filtering".
I could understand it if the issue of how to manage packet filter
definitions on routers as the network changes was a problem. But if I
would be slightly surprised if there was still a universal voice saying
"we absolutely cannot filter packets at the edge, because the vendors
won't let us".
To meet the requirements of what I understood the original quoted
fragment to be saying, it's perhaps not necessary to packet filter at
the edge, anyway. You can apply a firewall to just the loopback
interface of a junos box and arguably consider your control element
firewalled.
Joe
