I think the IAB has a legitimate point.
Network operators rely today on the fact that different services use different ports, so they can block particular types of access/behavior by blocking ports.
I think the IAB has a legitimate point and I agree with it 100%. Unfortunately, I also think it lacks a certain amount of practicality. When/if I remove the microsoft port filters (for example) from the interface between my campus and my eBGP peers or between segments of our campus network, my network starts to melt down because of the sudden influx of virus probes and traffic related to the spike in infections on our 10k - 20k hosts. If the recommendation is to remove these low-cost protections, is there a recommendation on how I can prevent the subsequent and severe instability on my network?
There is a real danger that long-term continued blocking will lead to "everything on one port" (probably 80).
Or port 443. If the traffic is on port 80, most signature systems can determine that its not necessarily a standard HTTP interaction. If its on port 443 and has a basic level of encryption, the signature-based systems fail.
I'm not saying ISP's shouldn't filter, but the long term filtering is a problem. It will cause application developers to do things that will make long term filtering not work, in the end.
I absolutely agree. Its the same argument that we made to our administration regarding why we shouldn't block outright peer-to-peer applications. First, the applications themselves aren't a problem, aren't illegal and, given that we are a University, we should try not to stifle their developement. Just as important, if we blocked them outright, our community would likley shift to applications that are more effective at hiding themselves from us. Since the only drawback to allowing them is that they increase the average bandwidth demand per user, something we plan for anyway, we chose not to filter. Unfortunately, I can't make the same argument about the edge port filters we have in place for security reasons. Though there is a general benifit gained by allowing application development, the overwhelming cost that we'd incur dealing with the compromised hosts themselves, the substantial increase in network traffic and network attacks that they generate, etc., makes removing these protections cost prohibitive. Again, I definitely agree with the IAB's recommendation. However, its difficult to defend this point of view in practice since most of the equipment does basic packet filtering in hardware or with minimal cost to peformance. So, I just can't figure out how to sit in front of our administration and justify the replacement of a zero-cost solution with the cost of added staff and equipment to mitigate these security risks, especially when the up side is just not "limiting the potential for deployment of future applications". Eric :)