Re: BCP for ISP to block worms at PEs and NAS

[John Kristoff <jtk () northwestern edu>]

On Sun, 17 Apr 2005 13:00:30 -0700
"J.D. Falk" <jdfalk () cybernothing org> wrote:

> > >  deny   udp any any eq 1026
> >
> > Similar as before, you are going to be removing some legitimate
> > traffic.
>
>       Is this really true?  All of the ports listed above are used by
>       LAN protocols that were never intended to communicate directly 
>       across backbone networks -- that's why VPNs were invented.

I was speaking to the last UDP rule as shown above, but a port number
is becoming increasingly more ambiguous as applications adapt when
specific ports are filtered.

There is also the idea of a 'port switching' process.  Find an
archived copy of draft-shepard-tcp-reassign-port-number for an
example.  Or even consider how TFTP works (port 69 is only in use
for the initial packet to the TFTP server).  Such a process
actually has two 'good' properties, that are often add odds in
many deployments.  One is to foster transparency back into the
network and the other is to improve resiliency from attackers
attempting to insert spoofed packets into the communications.

John