nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BCP for ISP to block worms at PEs and NAS

From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Sun, 17 Apr 2005 16:16:33 +0000 (GMT)


On Sun, 17 Apr 2005, Randy Bush wrote:




On my Cisco-based SP network with RPMs in MGX chassis acting as PEs:
I have the ACL below applied on many network devices to block the
common worms ports,


if you are a service provider, perhaps filtering in the core will
not be appreciated by some customers.  of course, as a provider,
you can choose what 'service' you are providing.  but, if you
filter ports, it is not clear you are providing internet service.


one approach might be radius installed filters? some contract language to
allow 'customers' to request standard templated filters at little/no-extra
cost to them. Allow them to make the decision to filter themselves (where
'themselves' may be a dial reseller, of course).  Making them responsible
means when odd-application-12 comes along to utilize tcp/135 you won't
have to poke spot holes through your filters to permit this access.
Previous By Date Next
Previous By Thread Next

Current thread: