Stupid Question maybe?

Saku Ytti saku at ytti.fi
Wed Dec 19 07:32:29 UTC 2018


On Wed, 19 Dec 2018 at 02:55, Philip Loenneker
<Philip.Loenneker at tasmanet.com.au> wrote:

> I had a heck of a time a few years back trying to troubleshoot an issue where an upstream provider had an ACL with an incorrect mask along the lines of 255.252.255.0. That was really interesting to talk about once we discovered it, though it caused some loss of hair beforehand...

Juniper originally didn't support them even in ACL use-case but were
forced to add later due to customer demand, so people do have
use-cases for them. If we'd still support them in forwarding, I'm sure
someone would come up with solution which depends on it. I am not
advocating we should, I'll rather take my extra PPS out of the HW.

However there is one quite interesting use-case for discontinuous mask
in ACL. If you have, like you should have, specific block for customer
linknetworks, you can in iACL drop all packets to your side of the
links while still allowing packets to customer side of the links,
making attack surface against your network minimal.


-- 
  ++ytti


More information about the NANOG mailing list