Re: BCP for ISP to block worms at PEs and NAS

[Randy Bush <randy () psg com>]

> > > On my Cisco-based SP network with RPMs in MGX chassis acting as
> > > PEs: I have the ACL below applied on many network devices to
> > > block the common worms ports,
> > if you are a service provider, perhaps filtering in the core
> > will not be appreciated by some customers.  of course, as a
> > provider, you can choose what 'service' you are providing.  but,
> > if you filter ports, it is not clear you are providing internet
> > service.
> one approach might be radius installed filters? some contract
> language to allow 'customers' to request standard templated
> filters at little/no-extra cost to them. Allow them to make the
> decision to filter themselves (where 'themselves' may be a dial
> reseller, of course).  Making them responsible means when
> odd-application-12 comes along to utilize tcp/135 you won't have
> to poke spot holes through your filters to permit this access.

yep.  but note that kim says "ACL below applied on many network
devices," and went on to mention ras, which i, possibly mistakenly,
took to mean not just the radius-able edge.

randy