Incoming SSDP UDP 1900 filtering

[sean at donelan.com (Sean Donelan)]

On Mon, 25 Mar 2019, marcel.duregards--- via NANOG wrote:
> As SSDP is used with PnP for local LAN service discovery, we are
> thinking of:
>
> 1) educate our client (take a lot of time)
> 2) filter incoming SSDP packets (UDP port 1900 at least) in our bgp border

Its always a bad idea to do packet filtering at your bgp border.

All packet filtering should be done as close to the customer as possible, 
preferably at the customer's home/office broadband gateway router device.

I don't know why the default configuration of a broadband gateway router 
would allow unsolicited internet-to-lan packets. Doing the filtering on 
the customer's broadband gateway router, enables individual customer 
configuration changes, i.e. in the unlikely event they use those UDP/TCP 
ports for something else.

Connecting "naked" consumer or enterprise LANs, i.e., a Synology NAS or 
most other things, directly to the internet without a gateway device is 
usually a bad idea. Naked LAN connections can be Ok in some situations, 
with proper configuration, but not by default.

Although somewhat controversal, since 2003 I think ISPs should have 
some default filters at the customer-edge which can be removed at 
an individual customer's request.

But no default packet filters at an ISP's BGP-edge, i.e., customer or 
upstream/downstream ISP bgp connections. It just breaks too many things, 
in weird difficult to diagnose ways.