On Thu, 31 May 2001, McCammon, Keith wrote: > A few questions: > > 1) Does anyone know of a list of known security-conscious ISP's (for larger > corporate circuits) that are known for providing basic security services > (ingress/egress filters, RFC1918's, and client-specific filter requests) to > customers without hassle. Most competant ISP/NSP's will filter out RFC1918 address space from being announced by default, as well as do ingress filtering, but usually limited to their own IP space. They may or may not actually filter ingress traffic for RFC1918 space. Most refrain from customer requested filtering because of the CPU cycles required to filter on their equipment which generally serves many customers. If those customers are BGP speakers, then they're already being filtered for route announcements. > I'm getting kind of tired of seeing thousands of matches on my access-lists > against RFC1918 rules and such that I would assume should be filtered by any > semi-responsible ISP. The generally accepted model is to filter as close to the edge as possible, and most ISP's that I've dealt with seem to take this to mean it's your responsibility to do so. Remember, the NSP's job is to forward packets to you as fast as possible. Filtering will generally be your responsibility, not theirs. Personally, I'd much rather know what's coming at me so I can trend what people are trying to do against my network. It may be tedios to weed through, but just like Stoll's $.25 accounting discrepency, something in their might point to something you should be paying attention to. Regards, -- Joseph W. Shaw II CCNA/Network Security Goon Unemployed. Will hack for food. God Bless.
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 17:12:50 PDT