Ingress filtering on transits, peers, and IX ports
adamv0025 at netconsultings.com
adamv0025 at netconsultings.com
Thu Oct 15 14:46:23 UTC 2020
> From: Saku Ytti <saku at ytti.fi>
> Sent: Thursday, October 15, 2020 3:30 PM
>
> On Thu, 15 Oct 2020 at 17:22, Tim Durack <tdurack at gmail.com> wrote:
>
>
> > We deploy urpf strict on all customer end-host and broadband circuits. In
> this scenario urpf = ingress acl I don't have to think about.
>
> But you have to think about what prefixes a customer has. If BGP you need
> to generate prefix-list, if static you need to generate a static route. As you
> already have to know and manage this information, what is the incremental
> cost to also emit an ACL?
>
Actually ideally there would be a feature/knob to automatically sync BGP (and static routes) with packet filters.
adam
More information about the NANOG
mailing list