On Wed, 29 Oct 2003, Alex Yuriev wrote:
application traffic", and we should not do that. It should not be the goal of IS to enforce the policy for the traffic that passes through it. That type of enforcement should be left to ES.
Well, that is nice thery, but I'd like to see how you react to 2Gb DoS attack and if you really intend to put filters at the edge or would not prefer to do it at the entrance to your network. Slammer virus is just like DoS, that is why many are filtering it at the highiest possible level as well as at all points where traffic comes in from the customers.
Actually, no, it is not theory.
When you are slammed with N gigabits/sec of traffic hitting your network, if you do not have enough capacity to deal with the attack, no amount of filtering will help you, since by the time you apply a filter it is already too late - the incoming lines have no place for "non-evil" packets.
This concept does not work on every network. You may very well have enough capacity to handle all the traffic from upstream provider (you probably don't want to and will ask them to filter as well) but actual line to the POP where customer is connected maybe smaller or even if you do have enough capacity to the POP, the extra traffic going there will greatly effect IGP routing on the network and may cause problems for customers in completely different cities.
Leave content filtering to the ES, and *force* ES to filter the content. Its not content filtering, I'm not filtering only certain html traffic (like access to porn sites), I'm filtering traffic that is causing harm to my network and if I know what traffic is causing problems for me, I'll filter it first chance I get.
-- William Leibzon Elan Networks william@elan.net