[79890] in North American Network Operators' Group
Re: BCP for ISP to block worms at PEs and NAS
daemon@ATHENA.MIT.EDU (John Kristoff)
Sun Apr 17 20:25:38 2005
Date: Sun, 17 Apr 2005 19:25:07 -0500
From: John Kristoff <jtk@northwestern.edu>
To: nanog@merit.edu
In-Reply-To: <20050417200030.GG1174@arctic.org>
Errors-To: owner-nanog@merit.edu
On Sun, 17 Apr 2005 13:00:30 -0700
"J.D. Falk" <jdfalk@cybernothing.org> wrote:
> > > deny udp any any eq 1026
> >
> > Similar as before, you are going to be removing some legitimate
> > traffic.
>
> Is this really true? All of the ports listed above are used by
> LAN protocols that were never intended to communicate directly
> across backbone networks -- that's why VPNs were invented.
I was speaking to the last UDP rule as shown above, but a port number
is becoming increasingly more ambiguous as applications adapt when
specific ports are filtered.
There is also the idea of a 'port switching' process. Find an
archived copy of draft-shepard-tcp-reassign-port-number for an
example. Or even consider how TFTP works (port 69 is only in use
for the initial packet to the TFTP server). Such a process
actually has two 'good' properties, that are often add odds in
many deployments. One is to foster transparency back into the
network and the other is to improve resiliency from attackers
attempting to insert spoofed packets into the communications.
John
