Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: HTTP proxies, was Re: Operational Issues with 69.0.0.0/8...

  • From: Michael.Dillon
  • Date: Mon Dec 09 05:20:23 2002

> And don't forget about the biggest of them all, open BIND proxies. After
> port 80, port 53 goes through almost as much.  A lot of times you don't
> need to hack anything, software comes with relay/proxy/recursion 
enabled.
> How do we get software vendors (free, pay, virus) to distribute software
> with appropriate defaults?

Set up the Net Police. 

First step, learn from the RBL and other blacklists.

Second step, publish a directory. I.e. detect the non-conforming devices 
and publish their IP addresses in an LDAP server. 

Third step, use these directories to dynamically configure filters and 
ACLs and blackhole routes.

Fourth step, lean on the vendors to make more things dynamically 
configurable, i.e. make ACL configuration more like route distribution. 
That makes the 3rd step easier and will get more of the corporate 
networking people to police their neighborhoods.

Finally, stop raving about how the net police would be bad. They already 
exist in the form of many disorganized private net police groups like the 
RBL people, spammer blacklists, NANOG mailing list, CIDR report, CERT, 
etc. The point is that policing the network itself and the devices that 
connect to the network is a good thing and should be done in a coordinated 
fashion. 

The purpose of publishing stuff using LDAP is because we are not policing 
people, we are policing machines therefore we need to talk to them in a 
language they can understand, i.e. a network protocol.

And yes, I realize that there are lots of problems with this that need to 
be solved and slippery slopes that we have to be wary of, but that is not 
a reason for not trying.

--Michael Dillon







Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.