Incoming SSDP UDP 1900 filtering

Tom Beecher beecher at beecher.cc
Mon Mar 25 14:08:11 UTC 2019


If your edge ingress ACLs are not 100% in sync all the time, you will
inevitably have Really Weird Stuff happen that will end up taking forever
to diagnose.

You will eventually end up closing off a port that something else needs to
work properly, and now you have to figure out how to resolve that.

Packet filtering is more computationally taxing than just routing is. Your
edge equipment is likely going to be built for maximum routing efficiency.
Trying to bite off too much filtering there increases your risk of legit
traffic being tossed on the floor.



On Mon, Mar 25, 2019 at 6:41 AM Tom Hill <tom at ninjabadger.net> wrote:

> On 25/03/2019 09:17, Sean Donelan wrote:
> > Its always a bad idea to do packet filtering at your bgp border.
>
>
> Wild assertion. Why?
>
> DoS mitigation, iACLs, BGP security... I can think of lots of very
> sensible reasons.
>
> --
> Tom
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190325/a05c2f51/attachment.html>


More information about the NANOG mailing list