It depends on how many customers you have and what sort of contract you have with them if any. A significant amount of attack traffic comes from residential networks where a “one-size-fits-all” policy is definitely best.
On Feb 26, 2014, at 4:01 PM, Jay Ashworth <j...@baylink.com> wrote: > ----- Original Message ----- >> From: "Brandon Galbraith" <brandon.galbra...@gmail.com> > >> On Wed, Feb 26, 2014 at 6:56 AM, Keegan Holley <no.s...@comcast.net> >> wrote: >>> More politely stated, it’s not the responsibility of the operator to >>> decide what belongs on the network and what doesn’t. Users can run any >>> services that’s not illegal or even reuse ports for other >>> applications. > >> Blocking chargen at the edge doesn't seem to be outside of the realm >> of possibilities. > > All of these conversations are variants of "how easy is it to set up a > default ACL for loops, and then manage exceptions to it?". > > Assuming your gear permits it, I don't personally see all that much > Bad Actorliness in setting a relatively tight bidirectional ACL for > Random Edge Customers, and opening up -- either specific ports, or > just "to a less-/un-filtered ACL" on specific request. > > The question is -- as it is with BCP38 -- *can the edge gear handle it*? > > And if not: why not? (Protip: because buyers of that gear aren't > agitating for it) > > Cheers, > -- jra > -- > Jay R. Ashworth Baylink > j...@baylink.com > Designer The Things I Think RFC 2100 > Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII > St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274 >