Part of the problem is that some of the larger ISP's have so many peers that it make it difficult to do egress/ingress filtering at the core. Another concern is network performance...all those ACL's affect router performance and if they have to choose between a router upgrade and your filters..... guess what wins. I am aware of lists of ports that ISP's filter, but not lists of client requested filters. I would imagine a good ISP would filter traffic to your pipe if you requested it. If they are managing your equipment, I don't see why they wouldn't. I manage my own equipment....Are you referring to my connection to my ISP on their equipment? Are these RFC1918 addresses spoofed? It would seem that most ISP's would filter that address space, but sometimes it is the old "Someone else will do it" excuse. FWIW...you are dealing with Verizon. In my experience, they don't have the level of customer service that you would expect from a company that large. I use C&W and they have been responsive to all my requests. Let me qualify that and say I haven't asked for any filtering. My BGP setup went rather smooth though. Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: McCammon, Keith [mailto:Keith.McCammonat_private] Sent: Thursday, May 31, 2001 1:10 PM To: 'incidentsat_private' Subject: ISP Filtering (Survey of Sorts) A few questions: 1) Does anyone know of a list of known security-conscious ISP's (for larger corporate circuits) that are known for providing basic security services (ingress/egress filters, RFC1918's, and client-specific filter requests) to customers without hassle. 2) Does anyone else have an ISP that, by policy, will not filter upstream? I've got Verizon, and I've been having some infrequent correspondence with them regarding filtering and it has been denied all the way up the chain. I'm getting kind of tired of seeing thousands of matches on my access-lists against RFC1918 rules and such that I would assume should be filtered by any semi-responsible ISP. Just curious if there are greener pastures... Thanks, Keith W. McCammon Sr. Network Engineer AdvanceMed Corporation 11710 Plaza America Drive Reston, VA 20190 Phone: 703.261.4891 Fax: 703.261.5300
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 15:56:29 PDT