RE: RBL-type BGP service for known rogue networks?

[rdobbins () netmore net]

Sure; I see your point.  Thing is, though you don't -have- to make the ACL
thing automatic - you can have someone sitting and watching the thing, and
triggering it manually after positive identification.

-----Original Message-----
From: John Kristoff [mailto:jtk () depaul edu]
Sent: Friday, July 07, 2000 5:01 PM
To: nanog () merit edu
Subject: Re: RBL-type BGP service for known rogue networks?



rdobbins () netmore net wrote:
> I certainly don't think that intrusion-detection makes sense for the
> backbones and NAPs and so forth, but when you get closer to the
> traffic-orginator/requestor boundaries of the network, it becomes more
> feasible, does it not?

Perhaps.  It might be less detrimental to the entire Internet community
if only a edge customer's dynamic IDS/filtering system went haywire.  It
then boils down to an organization's design and support philosophy.

Personally, I don't like the idea of messing with packets/streams in
transit unless it's route them, drop them (congestion) or mark them (IP
ToS bits/DiffServ).  There of course may be a few instances where you
block an entire netblock (e.g. RFC 1918) or specific ports (e.g. snmp)
that are widely know to be insecure or invalid.

It seems easier in the long run (harder intially) to secure the end
systems.  Maybe I'm just getting used to vendors automatically
configuring my network with the routing protocols and I'm not quite
ready for automatic ACL definitions based on traffic patterns.  :-)
  
John