nanog mailing list archives
Re: BCP for ISP to block worms at PEs and NAS
From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Mon, 18 Apr 2005 02:38:56 +0000 (GMT)
On Sun, 17 Apr 2005, Randy Bush wrote:
On my Cisco-based SP network with RPMs in MGX chassis acting as PEs: I have the ACL below applied on many network devices to block the common worms ports,if you are a service provider, perhaps filtering in the core will not be appreciated by some customers. of course, as a provider, you can choose what 'service' you are providing. but, if you filter ports, it is not clear you are providing internet service.one approach might be radius installed filters? some contract language to allow 'customers' to request standard templated filters at little/no-extra cost to them. Allow them to make the decision to filter themselves (where 'themselves' may be a dial reseller, of course). Making them responsible means when odd-application-12 comes along to utilize tcp/135 you won't have to poke spot holes through your filters to permit this access.yep. but note that kim says "ACL below applied on many network devices," and went on to mention ras, which i, possibly mistakenly, took to mean not just the radius-able edge.
whoops, I read his original note as: "i have a large dial/dsl plant for a network and I want to offer filtered Internet" So I lept to: "wow, use radius applied acls for your users, let them choose to have it or not, make standard templates available." If there is no need to filter 'all links' just 'customer links' (and 'customer links' == dial/dsl/radius-authed-connection-types) then the radius filters thing might be a boone to Kim's productivity.
Current thread:
- BCP for ISP to block worms at PEs and NAS Kim Onnel (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Suresh Ramasubramanian (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Randy Bush (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Christopher L. Morrow (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Randy Bush (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Christopher L. Morrow (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Sean Donelan (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Christopher L. Morrow (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS J.D. Falk (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Kim Onnel (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Christopher L. Morrow (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Randy Bush (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Sean Donelan (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS J.D. Falk (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Steven M. Bellovin (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS John Kristoff (Apr 17)