woodsat_private wrote: > [ On Thursday, September 27, 2001 at 17:10:50 (-0400), > ahowardat_private wrote: ] > > Subject: RE: Nimda et.al. versus ISP responsibility > > > > I think there is a mid-ground wherein all ISPs are responsible > > for both ingress and egress filtering of all traffic on their > > network to ensure it is valid traffic (e.g.., making sure that > > customer A cannot inject traffic into the network with a source > > IP that doesn't belong to them...nearly eliminating spoofing) > > but stopping short of scanning payloads of packets. > > Come on! Get real! > > Any properly formed IP packet is valid traffic! > > You cannot expect ISPs to stay on top of every protocol and every > network application. Ummm...perhaps you misunderstood. I just said to filter for proper packets. It is not true that a properly formed packet is necessarily valid traffic. If my router sends a packet to my ISP with a source IP address of 10.1.2.3, it is still a properly formed packet, but nonetheless invalid. If my router sends any packet with a source address other than one in my assigned range, it is invalid. If my router sends any packet with a destination of 255.255.255.255 it is invalid...unless we want our ISPs to start propagating broadcasts. I have had packets hit my router from my ISP with a destination address of 192.168.x.x...tell me how that makes sense? I specifically said that an ISP should not be looking at the payload of the packet. If the IP packet follows the rules, it gets through. If it has invalid source or destination IP addresses, it doesn't. If it has both SYN and FIN flag set, it doesn't. (Unless I'm missing something that makes that valid...) Options should exist for further filtering if a customer is willing to pay for it; otherwise, they get what they pay for. But if I'm willing, my ISP should allow me to set egress rules on their edge router to me. It only effects me...and I'm paying for it...why do many ISPs refuse to do this? I don't expect ISPs to know every application protocol, but they for damn sure better understand TCP, UDP, ICMP, IGMP, and IP in general. Otherwise, what in the world are they doing running IP networks? -Aaron ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 27 2001 - 19:16:51 PDT