It depends on how many customers you have and what sort of contract you have with them if any. A significant amount of attack traffic comes from residential networks where a “one-size-fits-all” policy is definitely best. On Feb 26, 2014, at 4:01 PM, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Brandon Galbraith" <brandon.galbraith@gmail.com>
On Wed, Feb 26, 2014 at 6:56 AM, Keegan Holley <no.spam@comcast.net> wrote:
More politely stated, it’s not the responsibility of the operator to decide what belongs on the network and what doesn’t. Users can run any services that’s not illegal or even reuse ports for other applications.
Blocking chargen at the edge doesn't seem to be outside of the realm of possibilities.
All of these conversations are variants of "how easy is it to set up a default ACL for loops, and then manage exceptions to it?".
Assuming your gear permits it, I don't personally see all that much Bad Actorliness in setting a relatively tight bidirectional ACL for Random Edge Customers, and opening up -- either specific ports, or just "to a less-/un-filtered ACL" on specific request.
The question is -- as it is with BCP38 -- *can the edge gear handle it*?
And if not: why not? (Protip: because buyers of that gear aren't agitating for it)
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274