job at ntt.net
Tue Aug 29 13:30:58 UTC 2017
On Tue, Aug 29, 2017 at 08:41:12AM -0400, Robert Blayzor wrote:
> > On 29 August 2017 at 03:38, Robert Blayzor <rblayzor.bulk at inoc.net> wrote:
> >> Well not completely useless. BCP will still drop BOGONs at the edge
> >> before they leak into your network.
> > Assuming you don't use them in your own infra. And cost of RPF is lot
> > higher than cost of ACL. Them being entirely static entities they
> > should be in your edgeACL. The only real justification for loose RPF
> > is source based blackholing.
> Well, if you are using public IP addresses for infra you are violating
> your RIR’s policy more than likely.
There may be some miscommunication here or confusion on terminology
used. But for instance using public, globally unique addresses for your
router's loopback addresses, or router-to-router linknets is fine and
not a violation.
> And if you’re using RFC1918 space in your global routing table, then
> thats another fiasco you’ll have to deal with.
Then don't do that! :)
> Managing ACL’s for customer routes has far more overhead (and cost,
> ie: time, human error, etc) than to just use RPF on an edge port. I
> believe the OP was talking about multi-homed, in that case if run a
> tight ship in your network RPF loose is probably a good choice. It at
> least gives you an easy way to not accept total trash at the edge.
I am not sure what "RPF loose" offers that can't be done with a static
general purpose edge ACL can't offer to protect your infrastructure and
deny obvious bogons.
More information about the NANOG