christopher.morrow@verizonbusiness.com ("Christopher L. Morrow") writes:
seems like global tcp/139|tcp/445 filters, or bogon filters... bits put into configs 'now' and completely forgotten about 'tomorrow' :(
speaking of which, f-root has about 35 nodes world wide, and about a third to a half of them aren't reachable by udp/161, and the blockage is not in our immediate neighbors but rather on transit paths. this is due to the cisco snmp vulnerability five years or so ago. filtering in the core to protect vulnerable edges has to be done a LOT more carefully than that. (BCP38 is an example of how to do it well, but apparently impractically?) i'm not following up on the dns related parts of this, since dns-operations@ seems to be pulling some of the dns related load today and i don't want to say the same thing in both places. see this URL for details: http://lists.oarci.net/pipermail/dns-operations/2006-February/author.html -- Paul Vixie