On Sat, 18 Oct 2003 14:28:10 PDT, bmanning@karoshi.com said:
... part of the INTERnet, and we would like it all to interoperate end to end.
that must be the royal "we"...
Nope. The collective we. If you aren't in the set of people who wants things to interoperate, why are you subscribed to NANOG? ;)
if there is really a concern that port filtering is inherently bad and should only be exercised as a temporary expediant, then why not open up all ports on the end systems?
There's a distinction between filtering ports at the ISP and opening them up on the end systems, which you are trying to gloss over - when in fact the distinction is important.
blocking ports 5, 7, 9, 11 and 19 are fairly common these days. is the IAB seriously suggesting that ISPs remove the filters on/for these ports?
My machine is quite able to decide if it wants to accept traffic on those ports, or reject it with an appropriate error message, or silently discard it. In the unlikely event of a DDoS attack involving those ports, I will discuss mitigation with my provider. The only reason we're having this discussion is because there's a majority market share by vendors who have traditionally shipped systems that are unable to make reasonable decisions about accepting traffic (yes, vendors plural. Fortunately, most have recanted over the past few years). And yes, I read it as "the IAB is suggesting the time for filtering those ports is either passed or will soon be" - how many vendors are *still* shipping code that does the default things on those ports?