Customer-facing ACLs

Jo Rhett jrhett at netconsonance.com
Tue Mar 11 06:27:23 UTC 2008


Justin Shore wrote:
> I'm assuming everyone uses uRPF at all their edges already so that 
> eliminates the need for specific ACEs with ingress/egress network 
> verification checks.

ha.  I only wish that was true.

We do filter all customer ports for IPs we believe from them, but darn 
few other providers do.  (as based on my conversations with many 
providers when tracking down attacks from their networks)

That said, we filter nothing else.

> Frags are explicitly dropped before any permits.

...?  So you have no real, production sites?



More information about the NANOG mailing list