Managing ACL exceptions (was Re: Filter NTP traffic by packet size?)

Jay Ashworth jra at
Wed Feb 26 21:01:50 UTC 2014

----- Original Message -----
> From: "Brandon Galbraith" <brandon.galbraith at>

> On Wed, Feb 26, 2014 at 6:56 AM, Keegan Holley <no.spam at>
> wrote:
> > More politely stated, it’s not the responsibility of the operator to
> > decide what belongs on the network and what doesn’t. Users can run any
> > services that’s not illegal or even reuse ports for other
> > applications.

> Blocking chargen at the edge doesn't seem to be outside of the realm
> of possibilities.

All of these conversations are variants of "how easy is it to set up a
default ACL for loops, and then manage exceptions to it?".

Assuming your gear permits it, I don't personally see all that much 
Bad Actorliness in setting a relatively tight bidirectional ACL for
Random Edge Customers, and opening up -- either specific ports, or
just "to a less-/un-filtered ACL" on specific request.

The question is -- as it is with BCP38 -- *can the edge gear handle it*?

And if not: why not?  (Protip: because buyers of that gear aren't 
agitating for it)

-- jra
Jay R. Ashworth                  Baylink                       jra at
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates          2000 Land Rover DII
St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647 1274

More information about the NANOG mailing list