Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)

["Christopher L. Morrow" <chris () UU NET>]

On Fri, 18 Jul 2003, Niels Bakker wrote:

> * jared () puck Nether net (Jared Mauch) [Fri 18 Jul 2003, 23:23 CEST]:
> > On Fri, Jul 18, 2003 at 04:20:37PM -0400, Charles Sprickman wrote:
> > > If I recall correctly, Rob's Secure IOS Template touches on filtering
> > > known services (the BGP listener, snmp), but what are people's feelings
> > > on maintaining filters on all interfaces *after* loading a fixed IOS?
> >     It shouldn't be done.  transit internet providers should not
> > be the edges firewalls.  The edge?  They can filter what they
> > want, but you should not filter things for people that they
> > don't know is being filtered.  I can see a few clear cases where this
> > is acceptable, and ms-sql was one of them.
>
> Good point.  Still, transit networks' ingress routers could filter on
> destination addresses of nodes known not to run IP protocols
> 53/55/77/103 in order to protect them.

hrm, what nodes don't run 55/53/77/103? What do? Do you have a list? Could
we have it?

Seriously though... the edge networks (as Jared pointed out) should be
able to decide what they want to filter and what they don't... perhaps
some large ISP would decide you don't want any traffic from 212/8 or
perhaps all porn? Or all religious material? You don't want someone
deciding what you do and don't get... unless that someone is you :)

> I suppose most networks have a limited number of ranges they use for
> assigning space to loopback and point-to-point interfaces so this
> needn't be an extreme amount of administration.

yes... inside my network I know what my loopbacks and links are, inside
yours?? No idea... or Jared's or Tim Battles or...