|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Advisory - tunneling of IP at exchange points.
>>>>> On Tue, 25 Nov 1997 at around 15:53:28, >>>>> "NJM" == Neil J. McRae penned: NJM> On Tue, 25 Nov 1997 14:47:22 +0000 (GMT) NJM> Paul Thornton <[email protected]> wrote: +> The LINX and several of its members have recently had to take action +> against an ISP that was using GRE tunneling between exchange points +> to appropriate the capacity of other ISPs. NJM> Hmm unfortuntely for us GRF owners it seems that filterd cannot deal NJM> with filter this. Joy! I wonder how many months for a fix!? Neil, With a bit of effort, you could a) allow valid traffic sourced from a NAP address b) deny any other traffic with a NAP source addr couldn't you ? e.g. [ inbound at ME ] (in pseudo ACL :) ! Allow ping, trace etc. to work in and out permit src=192.41.177.0/24 proto=(icmp, echo-request OR echo-reply OR unreachable, ttl-exceed ... etc.) ! oh, and BGP permit src=192.41.177.0/24 proto=(tcp, 179) ! horrible way to allow people to traceroute in from their NAP routers permit src=192.41.177.0/24 proto=(udp, port>30000) ! ! Some other stuff I can't be bothered to think of here ! deny src=192.41.177.0/24 As, in general, you shouldn't see many types of traffic into you with a source address of a NAP router. I know it's possible that people might want to telnet to one of your SMTP ports from their Mae-East router but it ain't very likely ;) [ I'm assuming that the problem is you can't say "deny proto=0x2f" or similar ? ] NJM> Neil. Cheers, Lyndon -- Penis Envy is a total Phallusy.
|