[NCLUG] Egress Filtering
John L. Bass
jbass at dmsd.com
Tue Aug 14 03:15:10 MDT 2001
Heh... Many ISPs have enough trouble monitoring their own networks -- you
expect them to monitor the packets being sent by each of their clients?
Last time I checked - installing a network monitor on a subnet was mostly passive,
and impacts network design/architecture pretty minimally. Especially when the
monitor is a workstation PC type device with the right software. It's pretty damn
hard to screw a facility up doing that, and if they choose not to - then hey - that
is their operational management decision.
And the SAME ISP's are likely to have EVEN MORE problems configuring an interlocking
set of filter rules - and more likely to bugger the network design during reconfigurations.
Personally, I'd rather have them put a filter on to block their receiving
that traffic from me, than installing a filter that logs it so that they
can later harass me about it. Unless I'm missing something, they'd HAVE to
do that monitoring on the customer edges of their network because once it
reaches their core routers they don't know where it came from...
Frankly, if they cann't do a monitor right, who would expect them to get router
logs right?? And if they aren't going to monitor with monitoring tools, who is
going to expect them to do it with much more complex router tools?
What comes out a customers port, is the customers responsibility. It doesn't matter
if that is a ping flood, mal-formed packets from hardware failures, or DOS attacks.
If the customer connects via a router/firewall, then that device should shape the
customers traffic profile - not the ISP's.
So, it's just as much work to set up, if not more, but it requires ongoing
monitoring and harassing of the customers... I don't think that qualifies
as KISS...
Hell no, a passive monitor is non-invasive, and doesn't risk taking a facility down
just because of syntax error in changing router logging options.
Sean
John
More information about the NCLUG
mailing list