nanog mailing list archives
Re: Advisory - tunneling of IP at exchange points.
From: Lyndon Levesley <lol () gxn net>
Date: Tue, 25 Nov 1997 16:14:16 +0000
On Tue, 25 Nov 1997 at around 15:53:28, "NJM" == Neil J. McRae penned:
NJM> On Tue, 25 Nov 1997 14:47:22 +0000 (GMT) NJM> Paul Thornton <prt () linx net> wrote: +> The LINX and several of its members have recently had to take action +> against an ISP that was using GRE tunneling between exchange points +> to appropriate the capacity of other ISPs. NJM> Hmm unfortuntely for us GRF owners it seems that filterd cannot deal NJM> with filter this. Joy! I wonder how many months for a fix!? Neil, With a bit of effort, you could a) allow valid traffic sourced from a NAP address b) deny any other traffic with a NAP source addr couldn't you ? e.g. [ inbound at ME ] (in pseudo ACL :) ! Allow ping, trace etc. to work in and out permit src=192.41.177.0/24 proto=(icmp, echo-request OR echo-reply OR unreachable, ttl-exceed ... etc.) ! oh, and BGP permit src=192.41.177.0/24 proto=(tcp, 179) ! horrible way to allow people to traceroute in from their NAP routers permit src=192.41.177.0/24 proto=(udp, port>30000) ! ! Some other stuff I can't be bothered to think of here ! deny src=192.41.177.0/24 As, in general, you shouldn't see many types of traffic into you with a source address of a NAP router. I know it's possible that people might want to telnet to one of your SMTP ports from their Mae-East router but it ain't very likely ;) [ I'm assuming that the problem is you can't say "deny proto=0x2f" or similar ? ] NJM> Neil. Cheers, Lyndon -- Penis Envy is a total Phallusy.
Current thread:
- Advisory - tunneling of IP at exchange points. Paul Thornton (Nov 25)
- Re: Advisory - tunneling of IP at exchange points. Neil J. McRae (Nov 25)
- Re: Advisory - tunneling of IP at exchange points. Lyndon Levesley (Nov 25)
- Re: Advisory - tunneling of IP at exchange points. Jeff Swinton (Nov 25)
- Re: Advisory - tunneling of IP at exchange points. Lyndon Levesley (Nov 25)
- Re: Advisory - tunneling of IP at exchange points. Jeff Swinton (Nov 25)
- Re: Advisory - tunneling of IP at exchange points. Alex Bligh (Nov 25)
- Re: Advisory - tunneling of IP at exchange points. Lyndon Levesley (Nov 25)
- Re: Advisory - tunneling of IP at exchange points. bmanning (Nov 25)
- Re: Advisory - tunneling of IP at exchange points. Neil J. McRae (Nov 25)
- <Possible follow-ups>
- RE: Advisory - tunneling of IP at exchange points. Dave Van Allen (Nov 26)
- RE: Advisory - tunneling of IP at exchange points. Craig A. Huegen (Nov 26)
- RE: Advisory - tunneling of IP at exchange points. Dave Van Allen (Nov 26)