BCP38/84 and DDoS ACLs

Roland Dobbins rdobbins at arbor.net
Fri May 26 17:19:34 UTC 2017

On 26 May 2017, at 22:39, Graham Johnston wrote:

> I am looking for information regarding standard ACLs that operators 
> may be using at the internet edge of their network, on peering and 
> transit connections,

These .pdf presos may be of interest:



They talk about iACL and tACL design philosophy.

What traffic you should permit/deny on your network is, of course, 
situationally-specific.  Depends on what kind of network it is, what 
servers/services/applications/users you have, et. al.  You may need one 
set of ACLs at the peering/transit edge, and other, more specific ACLs, 
at the IDC distribution gateway, customer aggregation gateway, et. al.

Roland Dobbins <rdobbins at arbor.net>

More information about the NANOG mailing list