BCP38/84 and DDoS ACLs

Kody Vicknair kvicknair at reservetele.com
Fri May 26 17:24:52 UTC 2017


When I was doing some research in regards to the same subject I ran across this doc. I've found it to be very helpful.

http://nabcop.org/index.php/DDoS-DoS-attack-BCOP




Kody Vicknair
Network Engineer

Tel:    985.536.1214
Fax:    985.536.0300
Email:  kvicknair at reservetele.com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084

_________________________________________________________________________________________________

Disclaimer:
The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material which should not disseminate, distribute or be copied. Please notify Kody Vicknair immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Kody Vicknair therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. .

-----Original Message-----
From: NANOG [mailto:nanog-bounces+kvicknair=reservetele.com at nanog.org] On Behalf Of Roland Dobbins
Sent: Friday, May 26, 2017 12:20 PM
To: nanog at nanog.org
Subject: Re: BCP38/84 and DDoS ACLs


On 26 May 2017, at 22:39, Graham Johnston wrote:

> I am looking for information regarding standard ACLs that operators
> may be using at the internet edge of their network, on peering and
> transit connections,

These .pdf presos may be of interest:

<https://app.box.com/s/ko8lk4vlh1835p36na3u>

<https://app.box.com/s/xznjloitly2apixr5xge>

They talk about iACL and tACL design philosophy.

What traffic you should permit/deny on your network is, of course, situationally-specific.  Depends on what kind of network it is, what servers/services/applications/users you have, et. al.  You may need one set of ACLs at the peering/transit edge, and other, more specific ACLs, at the IDC distribution gateway, customer aggregation gateway, et. al.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>


More information about the NANOG mailing list