Customer-facing ACLs
Mark Tinka
mtinka at globaltransit.net
Sun Mar 9 04:24:31 UTC 2008
On Saturday 08 March 2008, Justin Shore wrote:
> What kind of customer-facing filtering do you do (ingress
> and egress)? This of course is dependent on the type of
> customer, so lets assume we're talking about an average
> residential customer.
We supply to mid-to-small ISP's mostly, and sizeable
enterprise customers; so the degree to which we can filter
is limited.
That said, at the edge, we run uRPF on all customer-facing
ports (loose or strict, depending on the deployment).
In addition, on each edge router's core-facing uplinks, we
run egress ACL's matching RFC 1918 and RFC 3330 (yes, with
uRPF downstream to the customers, this might seem
redundant, but we've actually seen some 'catches', so it
appears to help us solidify our filtering implementation).
In the core, we don't filter or run uRPF, for obvious
reasons.
On our border routers, we deploy ingress filters, again,
cutting off RFC 1918 and RFC 3330.
On peering routers (private peering and exchange points), we
run uRPF on our peering interface (taking care to run loose
mode in case private peers also peer at the public exchange
point). Again, upstream ACL's are implemented on
core-facing uplinks to "double-check".
As you can tell, we don't filter
protocols/ports/applications. We leave that to the
customer, and insist on it.
All the above goes for IPv6 as well, as appropriate.
We are also quite picky about NLRI filtering (BGP), but
that's beyond this scope :-).
Hope this helps.
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080309/0a43eae6/attachment.sig>
More information about the NANOG
mailing list