Home page logo
/

nanog logo nanog mailing list archives

Re: NSPs and filters
From: "Dorian R. Kim" <dorian () blackrose org>
Date: Sun, 13 Jul 1997 16:16:09 -0400 (EDT)

On Sun, 13 Jul 1997, Jon Lewis wrote:

A certain minimal level of network security should be a part of any
responsible network.  Perhaps its not practical to run with filters on
every router...especially core and big exchange routers.  But you can
strongly encourage (perhaps require) that all your customers enforce sane
filters where applicable.  Somewhere in the internet food chain, it is
very much practical to install filters, and someone needs to make sure
they are in place.

Given that ISP market is differentiated by the lowest common denominator at
this point, this is unlikely to happen. Customers and potential customers vote
with their money, and so far, it is very unclear whether doing the "right
things" in this regard give any network a competitive advantage. In fact, it 
could be argued that this constitutes a competitive disadvantage since
engineering for filtering and other such niceties tend to drive up the cost.

I suppose that things would be different if we had an educated consumer base,
but that seems unlikely to happen any time soon.

Furthermore, for many, their connection model of customers makes it
impractical for them to filter.

The best we can do is for each individual sites/networks to do what they can.
Given the current enviroment, something like universal ingress/egress
filter deployment is an impossible task.

However, I'm not saying that since things are impossible, don't bother
doing anything. For those of us who have the customer connection model to
support ingress/egress filtering, this should be done at the edges.

Also, once we are able to buy real routers that can perform these tasks as
part of their aggregation functionality, I'd argue that ingress/egress
filtering _should_ become the norm. (not that I'd bet on that happening)

For those who maintain a CPE, it's trivial to integrate ingress/egress
filtering to the automated process that's part of installation. This has been
done in various different places in the past, the most familiar example to me
being CICNet. 

-dorian



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]