BCP38/84 and DDoS ACLs
joelja at bogus.com
Sat May 27 00:44:18 UTC 2017
On 5/26/17 10:24, Kody Vicknair wrote:
> When I was doing some research in regards to the same subject I ran across this doc. I've found it to be very helpful.
Causally applied RPF checks applied to transit and peer interfaces
especially exchange fabrics have a very high-liklihood of blackholing
traffic you wanted particularly during maintenance if not casually
implemented. A very careful read rfc3704/bcp 84 is a necessary part of
implementing bcp 38 filters.
> Kody Vicknair
> Network Engineer
> Tel: 985.536.1214
> Fax: 985.536.0300
> Email: kvicknair at reservetele.com
> Reserve Telecommunications
> 100 RTC Dr
> Reserve, LA 70084
> The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material which should not disseminate, distribute or be copied. Please notify Kody Vicknair immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Kody Vicknair therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. .
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces+kvicknair=reservetele.com at nanog.org] On Behalf Of Roland Dobbins
> Sent: Friday, May 26, 2017 12:20 PM
> To: nanog at nanog.org
> Subject: Re: BCP38/84 and DDoS ACLs
> On 26 May 2017, at 22:39, Graham Johnston wrote:
>> I am looking for information regarding standard ACLs that operators
>> may be using at the internet edge of their network, on peering and
>> transit connections,
> These .pdf presos may be of interest:
> They talk about iACL and tACL design philosophy.
> What traffic you should permit/deny on your network is, of course, situationally-specific. Depends on what kind of network it is, what servers/services/applications/users you have, et. al. You may need one set of ACLs at the peering/transit edge, and other, more specific ACLs, at the IDC distribution gateway, customer aggregation gateway, et. al.
> Roland Dobbins <rdobbins at arbor.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 203 bytes
Desc: OpenPGP digital signature
More information about the NANOG