[61601] in North American Network Operators' Group
Re: What do you want your ISP to block today?
daemon@ATHENA.MIT.EDU (Gerardo Gregory)
Sat Aug 30 21:00:01 2003
In-Reply-To: <000d01c36f51$9aa00bc0$a22e1e43@Traveler>
From: "Gerardo Gregory" <ggregory@affinitas.net>
To: "Mark Borchers" <mborchers@igillc.com>
Cc: "'NANOG'" <nanog@merit.edu>
Date: Sat, 30 Aug 2003 19:50:17 -0500
Errors-To: owner-nanog-outgoing@merit.edu
Well I understand why an ISP will filter these.
But those things you mentioned are not software vendor vulnerabilities, or
vulnerabilities of some proprietary protocol used only by desktop systems.
Also the ISP will filter anything it feels it is a threat to it's own
systems as that is where their own responsibility lies, and if they dont
protect these they dont make any money.
Because an ISP chooses to filter IANA reserved addresses (I am to argue that
all do not perform this type of filtering, I would think that applying
prefix lists, and null routes is what an ISP would do...not filter on source
address...I have received packets at my edge with a IANA reserved address as
the source), or turn off IP directed broadcasts, does not compare to
applying filters every single time some vendor releases faulty code, or
their code is exploited. These exploits affect the end user nodes of the
ISP's customer, not the ISP itself (in a grand scale). The ISP is a
business.
G.
Mark Borchers writes:
>> -----Original Message-----
>> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
>> Behalf Of Gerardo Gregory
>>
>> Frankly I dont want any of my ISP's filtering any of my
>> traffic. I
>> think we need (especially enterprise administrators like
>> myself) to take
>> some responsibility, and place our own filters.
>
> That's a popular sentiment which derives its facade of reasonableness
> from the notion that ISP's ought to provide unencumbered pipes to the
> Internet core. However, it doesn't bear close scrutiny.
>
> Would you say that ISP's should not filter spoofed source addresses?
> That they should turn off "no ip directed broadcast"? Of course not,
> because such traffic is clearly pathological with no redeeming social
> value.
>
> The tough part for the ISP is to decide what other traffic types are
> absolutely illegitimate and should therefore be subject to being
> Verboten on the net.
>
>
>
Gerardo A. Gregory
Manager Network Administration and Security
402-970-1463 (Direct)
402-850-4008 (Cell)
------------------------------------------------
Affinitas - Latin for "Relationship"
Helping Businesses Acquire, Retain, and Cultivate
Customers
Visit us at http://www.affinitas.net
