Tier 2 ingress filtering

• Previous message (by thread): Tier 2 ingress filtering
• Next message (by thread): Tier 2 ingress filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Saku Ytti

> Question is, is it reasonable to expect customer to know what 
> networks they have. If yes, then you can ask them to create route 
> objects and then you can BGP prefix-filter and ACL on them. I do 
> both, and it has never been problem to my customers (enterprises, 
> CDNs, eyeballs).

I've had some problems with my upstream providers' ingress filtering,
for example:

- Traffic sourced from a prefix announced as a more-specific route at
transit connection in location A got filtered on a transit connection in
location B, where only a greater aggregate was announced.

- A GRE tunnel anchored in my routers' addresses in the eBGP link
network (part of my provider's address space) stopped working, as my
outbound packets was dropped by the provider's ingress filtering.

- Traceroutes that reaches my network through provider A show one
missing hop if my best return path back to the traceroute source is
through provider B, and provider B is doing ingress filtering. This is
because the ICMP TTL/HL exceeded packet is sourced from provider A's
address space (my router's interface address in the eBGP link net).

AFAIK, you represent one of my upstream providers, so sorry, but saying
your customers have never had problems with your ingress filtering isn't
entirely accurate. Everything works fine now, though.

Best regards,
-- 
Tore Anderson

• Previous message (by thread): Tier 2 ingress filtering
• Next message (by thread): Tier 2 ingress filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]