nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Incoming SSDP UDP 1900 filtering

From: Sean Donelan <sean () donelan com>
Date: Mon, 25 Mar 2019 05:17:46 -0400 (EDT)
On Mon, 25 Mar 2019, marcel.duregards--- via NANOG wrote:

As SSDP is used with PnP for local LAN service discovery, we are
thinking of:

1) educate our client (take a lot of time)
2) filter incoming SSDP packets (UDP port 1900 at least) in our bgp border


Its always a bad idea to do packet filtering at your bgp border.
All packet filtering should be done as close to the customer as possible, preferably at the customer's home/office broadband gateway router device.
I don't know why the default configuration of a broadband gateway router would allow unsolicited internet-to-lan packets. Doing the filtering on the customer's broadband gateway router, enables individual customer configuration changes, i.e. in the unlikely event they use those UDP/TCP ports for something else.
Connecting "naked" consumer or enterprise LANs, i.e., a Synology NAS or most other things, directly to the internet without a gateway device is usually a bad idea. Naked LAN connections can be Ok in some situations, with proper configuration, but not by default.
Although somewhat controversal, since 2003 I think ISPs should have some default filters at the customer-edge which can be removed at an individual customer's request.
But no default packet filters at an ISP's BGP-edge, i.e., customer or upstream/downstream ISP bgp connections. It just breaks too many things, in weird difficult to diagnose ways.
Previous By Date Next
Previous By Thread Next

Current thread: