Customer-facing ACLs

Sun Mar 9 04:24:31 UTC 2008

On Saturday 08 March 2008, Justin Shore wrote:

> What kind of customer-facing filtering do you do (ingress
> and egress)? This of course is dependent on the type of
> customer, so lets assume we're talking about an average
> residential customer.

We supply to mid-to-small ISP's mostly, and sizeable 
enterprise customers; so the degree to which we can filter 
is limited.

That said, at the edge, we run uRPF on all customer-facing 
ports (loose or strict, depending on the deployment).

In addition, on each edge router's core-facing uplinks, we 
run egress ACL's matching RFC 1918 and RFC 3330 (yes, with 
uRPF downstream to the customers, this might seem 
redundant, but we've actually seen some 'catches', so it 
appears to help us solidify our filtering implementation).

In the core, we don't filter or run uRPF, for obvious 
reasons.

On our border routers, we deploy ingress filters, again, 
cutting off RFC 1918 and RFC 3330.

On peering routers (private peering and exchange points), we 
run uRPF on our peering interface (taking care to run loose 
mode in case private peers also peer at the public exchange 
point). Again, upstream ACL's are implemented on 
core-facing uplinks to "double-check".

As you can tell, we don't filter 
protocols/ports/applications. We leave that to the 
customer, and insist on it.

All the above goes for IPv6 as well, as appropriate.

We are also quite picky about NLRI filtering (BGP), but 
that's beyond this scope :-).

Hope this helps.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080309/0a43eae6/attachment.sig>