Managing ACL exceptions (was Re: Filter NTP traffic by packet size?)

[no.spam at comcast.net (Keegan Holley)]

It depends on how many customers you have and what sort of contract you have with them if any.  A significant amount of attack traffic comes from residential networks where a ?one-size-fits-all? policy is definitely best.

On Feb 26, 2014, at 4:01 PM, Jay Ashworth <jra at baylink.com> wrote:

> ----- Original Message -----
>> From: "Brandon Galbraith" <brandon.galbraith at gmail.com>
> 
>> On Wed, Feb 26, 2014 at 6:56 AM, Keegan Holley <no.spam at comcast.net>
>> wrote:
>>> More politely stated, it?s not the responsibility of the operator to
>>> decide what belongs on the network and what doesn?t. Users can run any
>>> services that?s not illegal or even reuse ports for other
>>> applications.
> 
>> Blocking chargen at the edge doesn't seem to be outside of the realm
>> of possibilities.
> 
> All of these conversations are variants of "how easy is it to set up a
> default ACL for loops, and then manage exceptions to it?".
> 
> Assuming your gear permits it, I don't personally see all that much 
> Bad Actorliness in setting a relatively tight bidirectional ACL for
> Random Edge Customers, and opening up -- either specific ports, or
> just "to a less-/un-filtered ACL" on specific request.
> 
> The question is -- as it is with BCP38 -- *can the edge gear handle it*?
> 
> And if not: why not?  (Protip: because buyers of that gear aren't 
> agitating for it)
> 
> Cheers,
> -- jra
> -- 
> Jay R. Ashworth                  Baylink                       jra at baylink.com
> Designer                     The Things I Think                       RFC 2100
> Ashworth & Associates       http://www.bcp38.info          2000 Land Rover DII
> St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647 1274
>