Hurray, my favorite arguement! On Thu, 7 Mar 2002, Joe Abley wrote:
On Thursday, March 7, 2002, at 04:37 , Sean Donelan wrote:
My comment was originally prompted by the meeting minutes which reported on the survey data showing that 100% of carriers are implementing firewalls in their gateways. The 100% is what caught my eye. As the topic comes up in various places, large ISPs repeatedly say they are unable to implement filters or packet screening on their high-speed links such as at peering points.
How recently are ISPs repeatedly saying this? Packet filtering on high-speed optical interfaces has been possible for some time, depending on your router vendor, for some value of "packet filtering".
'now' would be a good starting time, but atleast 2 years we've been saying it (if not longer)
I could understand it if the issue of how to manage packet filter definitions on routers as the network changes was a problem. But if I would be slightly surprised if there was still a universal voice saying "we absolutely cannot filter packets at the edge, because the vendors won't let us".
"we absolutely cannot filter packets at the edge, because the vendors won't let us" The equipment fries, the equipment does not support acls, the acls simply don't work... I don't think I can put it any more clearly. There has got to be a push from the USERS of this equipment (not just one user, all users) to get line rate, full packet filtering capability on ALL interfaces on EVERY router, everything from the smallest foundry or 1700 to the largest 12416 or M160 or Avici. If users don't start asking for this 2 years ago it'll be another 4-5 years before its a reality. The vendors will NOT push forward on this without a significant cash incentive (like everyone saying: I need this so do it for me).
To meet the requirements of what I understood the original quoted fragment to be saying, it's perhaps not necessary to packet filter at the edge, anyway. You can apply a firewall to just the loopback interface of a junos box and arguably consider your control element firewalled.
Yes, if this is about the original discussion point, firewalling/protecting the control elements, then a loopback filter (or similar technology on a non-juniper platform) would suffice.