nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Incoming SSDP UDP 1900 filtering

From: Patrick McEvilly <patrick_mcevilly () harvard edu>
Date: Thu, 11 Apr 2019 10:08:17 -0400
I'm working with Level3 on a similar problem.  They filter both UDP and TCP port 1900 on our peer to them.  This is 
blocking all connections that randomly use ephemeral tcp port 1900.
    
They are refusing to remove the tcp port 1900 filter without dispensation from the DDoS security gods. I understand 
blocking UDP 1900, what is the purpose of Level3 filtering tcp port 1900?  
    
    
    On 3/25/19, 12:44 PM, "NANOG on behalf of Saku Ytti" <nanog-bounces () nanog org on behalf of saku () ytti fi> 
wrote:
    
        Hey Tom,
        
        > If your edge ingress ACLs are not 100% in sync all the time, you will inevitably have Really Weird Stuff 
happen that will end up taking forever to diagnose.
        
        You may at some cases have hard to troubleshoot issues, which is true
        for everything, even when perfectly configured, because software is
        not perfect. However choosing to do iACL is still something many
        networks choose to do, because the upside is worth the complexity to
        them.
        
        > Packet filtering is more computationally taxing than just routing is. Your edge equipment is likely going to 
be built for maximum routing efficiency. Trying to bite off too much filtering there increases your risk of legit 
traffic being tossed on the floor.
        
        Depends on implementation, on some implementations it is zero-cost on
        some it is not. On most implementations it's very cheap, particularly
        compared to say uRPF. It seems your position is 'i don't know how ACL
        works on my platforms and i don't trust myself to write ACL, so i
        should not do them', which is perfectly valid position under those
        constrains, but other networks have other constrains under which it is
        no longer valid proposal to omit doing iACL.
        
        I would encourage networks to continue deploying iACL and consider it
        BCP. iACL removes attack surface and protects you from host of known
        and unknown SIRT issues.
        
        -- 
          ++ytti
Previous By Date Next
Previous By Thread Next

Current thread: