North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Advisory - tunneling of IP at exchange points.
- From: Lyndon Levesley
- Date: Tue Nov 25 11:31:23 1997
>>>>> On Tue, 25 Nov 1997 at around 15:53:28,
>>>>> "NJM" == Neil J. McRae penned:
NJM> On Tue, 25 Nov 1997 14:47:22 +0000 (GMT)
NJM> Paul Thornton <prt@linx.net> wrote:
+> The LINX and several of its members have recently had to take action
+> against an ISP that was using GRE tunneling between exchange points
+> to appropriate the capacity of other ISPs.
NJM> Hmm unfortuntely for us GRF owners it seems that filterd cannot deal
NJM> with filter this. Joy! I wonder how many months for a fix!?
Neil,
With a bit of effort, you could
a) allow valid traffic sourced from a NAP address
b) deny any other traffic with a NAP source addr
couldn't you ?
e.g.
[ inbound at ME ]
(in pseudo ACL :)
! Allow ping, trace etc. to work in and out
permit src=192.41.177.0/24 proto=(icmp, echo-request OR echo-reply OR
unreachable, ttl-exceed ... etc.)
! oh, and BGP
permit src=192.41.177.0/24 proto=(tcp, 179)
! horrible way to allow people to traceroute in from their NAP routers
permit src=192.41.177.0/24 proto=(udp, port>30000)
!
! Some other stuff I can't be bothered to think of here
!
deny src=192.41.177.0/24
As, in general, you shouldn't see many types of traffic into you
with a source address of a NAP router. I know it's possible that
people might want to telnet to one of your SMTP ports from their
Mae-East router but it ain't very likely ;)
[ I'm assuming that the problem is you can't say "deny proto=0x2f" or
similar ? ]
NJM> Neil.
Cheers,
Lyndon
--
Penis Envy is a total Phallusy.
|
