Stupid Question maybe?

Christian Meutes christian at errxtx.net
Thu Dec 20 08:32:34 UTC 2018


On Wed, Dec 19, 2018 at 8:32 AM Saku Ytti <saku at ytti.fi> wrote:

> On Wed, 19 Dec 2018 at 02:55, Philip Loenneker
> <Philip.Loenneker at tasmanet.com.au> wrote:
>
> > I had a heck of a time a few years back trying to troubleshoot an issue
> where an upstream provider had an ACL with an incorrect mask along the
> lines of 255.252.255.0. That was really interesting to talk about once we
> discovered it, though it caused some loss of hair beforehand...
>
> Juniper originally didn't support them even in ACL use-case but were
> forced to add later due to customer demand, so people do have
> use-cases for them. If we'd still support them in forwarding, I'm sure
> someone would come up with solution which depends on it. I am not
> advocating we should, I'll rather take my extra PPS out of the HW.
>
> However there is one quite interesting use-case for discontinuous mask
> in ACL. If you have, like you should have, specific block for customer
> linknetworks, you can in iACL drop all packets to your side of the
> links while still allowing packets to customer side of the links,
> making attack surface against your network minimal.


And unfortunately is still not supported by IOS-XR for IPv6, which could
mean not having a scaleable way on your edge to protect your internal
network.

-- 
Christian

e-mail/xmpp: christian at errxtx.net
PGP Fingerprint: B458 E4D6 7173 A8C4 9C75315B 709C 295B FA53 2318
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20181220/cfd683a3/attachment.html>


More information about the NANOG mailing list