nanog mailing list archives
Managing ACL exceptions (was Re: Filter NTP traffic by packet size?)
From: Jay Ashworth <jra () baylink com>
Date: Wed, 26 Feb 2014 16:01:50 -0500 (EST)
----- Original Message -----
From: "Brandon Galbraith" <brandon.galbraith () gmail com>
On Wed, Feb 26, 2014 at 6:56 AM, Keegan Holley <no.spam () comcast net> wrote:More politely stated, it’s not the responsibility of the operator to decide what belongs on the network and what doesn’t. Users can run any services that’s not illegal or even reuse ports for other applications.
Blocking chargen at the edge doesn't seem to be outside of the realm of possibilities.
All of these conversations are variants of "how easy is it to set up a default ACL for loops, and then manage exceptions to it?". Assuming your gear permits it, I don't personally see all that much Bad Actorliness in setting a relatively tight bidirectional ACL for Random Edge Customers, and opening up -- either specific ports, or just "to a less-/un-filtered ACL" on specific request. The question is -- as it is with BCP38 -- *can the edge gear handle it*? And if not: why not? (Protip: because buyers of that gear aren't agitating for it) Cheers, -- jra -- Jay R. Ashworth Baylink jra () baylink com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Current thread:
- Re: Filter NTP traffic by packet size?, (continued)
- Re: Filter NTP traffic by packet size? Jérôme Nicolle (Feb 28)
- Re: Filter NTP traffic by packet size? Mikael Abrahamsson (Feb 23)
- Re: Filter NTP traffic by packet size? Randy Bush (Feb 23)
- Re: Filter NTP traffic by packet size? Ray Soucy (Feb 24)
- Re: Filter NTP traffic by packet size? Blake Hudson (Feb 25)
- RE: Filter NTP traffic by packet size? Staudinger, Malcolm (Feb 25)
- Re: Filter NTP traffic by packet size? Nick Hilliard (Feb 25)
- Re: Filter NTP traffic by packet size? Blake Hudson (Feb 25)
- Re: Filter NTP traffic by packet size? Keegan Holley (Feb 26)
- Re: Filter NTP traffic by packet size? Brandon Galbraith (Feb 26)
- Managing ACL exceptions (was Re: Filter NTP traffic by packet size?) Jay Ashworth (Feb 26)
- Re: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?) Keegan Holley (Feb 27)
- Re: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?) Ray Soucy (Feb 28)
- Re: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?) Jay Ashworth (Feb 28)
- Re: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?) Ray Soucy (Feb 28)
- Re: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?) Jay Ashworth (Feb 28)
- Re: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?) Christopher Morrow (Feb 28)
- Re: Filter NTP traffic by packet size? Valdis . Kletnieks (Feb 26)
- Re: Filter NTP traffic by packet size? Jared Mauch (Feb 26)
- Re: Filter NTP traffic by packet size? Randy Bush (Feb 26)
- Re: Filter NTP traffic by packet size? Frank Habicht (Feb 26)