Sure; I see your point. Thing is, though you don't -have- to make the ACL thing automatic - you can have someone sitting and watching the thing, and triggering it manually after positive identification. -----Original Message----- From: John Kristoff [mailto:jtk@depaul.edu] Sent: Friday, July 07, 2000 5:01 PM To: nanog@merit.edu Subject: Re: RBL-type BGP service for known rogue networks? rdobbins@netmore.net wrote:

I certainly don't think that intrusion-detection makes sense for the backbones and NAPs and so forth, but when you get closer to the traffic-orginator/requestor boundaries of the network, it becomes more feasible, does it not?

Perhaps. It might be less detrimental to the entire Internet community if only a edge customer's dynamic IDS/filtering system went haywire. It then boils down to an organization's design and support philosophy. Personally, I don't like the idea of messing with packets/streams in transit unless it's route them, drop them (congestion) or mark them (IP ToS bits/DiffServ). There of course may be a few instances where you block an entire netblock (e.g. RFC 1918) or specific ports (e.g. snmp) that are widely know to be insecure or invalid. It seems easier in the long run (harder intially) to secure the end systems. Maybe I'm just getting used to vendors automatically configuring my network with the routing protocols and I'm not quite ready for automatic ACL definitions based on traffic patterns. :-) John