|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
To: bmanning@karoshi.com
Cc: paf@cisco.com (=?ISO-8859-1?Q?Patrik_F=E4ltstr=F6m?=),
nanog@nanog.org, iab@iab.org, randy@psg.com (Randy Bush)
In-Reply-To: Your message of "Sat, 18 Oct 2003 14:28:10 PDT."
<200310182128.h9ILSAT16108@karoshi.com>
From: Valdis.Kletnieks@vt.edu
Date: Sat, 18 Oct 2003 17:55:29 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-1796281025P
Content-Type: text/plain; charset=us-ascii
On Sat, 18 Oct 2003 14:28:10 PDT, bmanning@karoshi.com said:
> > > ... part of the INTERnet, and we
> > > would like it all to interoperate end to end.
>
> that must be the royal "we"...
Nope. The collective we. If you aren't in the set of people who wants things
to interoperate, why are you subscribed to NANOG? ;)
> if there is really a concern that port filtering is
> inherently bad and should only be exercised as a temporary
> expediant, then why not open up all ports on the end systems?
There's a distinction between filtering ports at the ISP and opening them up on
the end systems, which you are trying to gloss over - when in fact the
distinction is important.
> blocking ports 5, 7, 9, 11 and 19 are fairly common these
> days. is the IAB seriously suggesting that ISPs remove the
> filters on/for these ports?
My machine is quite able to decide if it wants to accept traffic on those
ports, or reject it with an appropriate error message, or silently discard it.
In the unlikely event of a DDoS attack involving those ports, I will discuss
mitigation with my provider.
The only reason we're having this discussion is because there's a majority
market share by vendors who have traditionally shipped systems that are unable
to make reasonable decisions about accepting traffic (yes, vendors plural.
Fortunately, most have recanted over the past few years).
And yes, I read it as "the IAB is suggesting the time for filtering those ports
is either passed or will soon be" - how many vendors are *still* shipping code
that does the default things on those ports?
--==_Exmh_-1796281025P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE/kbbRcC3lWbTT17ARAgw3AKC/brREePyrg2AzidGzvAboyjKPWwCfdKie
VwZ/2hVohMTAMd7YrE3n23E=
=6peL
-----END PGP SIGNATURE-----
--==_Exmh_-1796281025P--
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |