Managing ACL exceptions (was Re: Filter NTP traffic by packet size?)

Keegan Holley no.spam at
Fri Feb 28 01:57:14 UTC 2014

It depends on how many customers you have and what sort of contract you have with them if any.  A significant amount of attack traffic comes from residential networks where a “one-size-fits-all” policy is definitely best.

On Feb 26, 2014, at 4:01 PM, Jay Ashworth <jra at> wrote:

> ----- Original Message -----
>> From: "Brandon Galbraith" <brandon.galbraith at>
>> On Wed, Feb 26, 2014 at 6:56 AM, Keegan Holley <no.spam at>
>> wrote:
>>> More politely stated, it’s not the responsibility of the operator to
>>> decide what belongs on the network and what doesn’t. Users can run any
>>> services that’s not illegal or even reuse ports for other
>>> applications.
>> Blocking chargen at the edge doesn't seem to be outside of the realm
>> of possibilities.
> All of these conversations are variants of "how easy is it to set up a
> default ACL for loops, and then manage exceptions to it?".
> Assuming your gear permits it, I don't personally see all that much 
> Bad Actorliness in setting a relatively tight bidirectional ACL for
> Random Edge Customers, and opening up -- either specific ports, or
> just "to a less-/un-filtered ACL" on specific request.
> The question is -- as it is with BCP38 -- *can the edge gear handle it*?
> And if not: why not?  (Protip: because buyers of that gear aren't 
> agitating for it)
> Cheers,
> -- jra
> -- 
> Jay R. Ashworth                  Baylink                       jra at
> Designer                     The Things I Think                       RFC 2100
> Ashworth & Associates          2000 Land Rover DII
> St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647 1274

More information about the NANOG mailing list