Ingress filtering on transits, peers, and IX ports

• Previous message (by thread): Ingress filtering on transits, peers, and IX ports
• Next message (by thread): Ingress filtering on transits, peers, and IX ports
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey,

> All stub autonomous systems should have a simple egress ACL allowing only PI of their customers and their own PAs -it’s a simple ACL at each AS-Exit points (towards transits/peers), that’s it.
>
> -not sure why this isn’t the first sentence in every BCP and “security bulletin”…

I will venture a guess.

  1) it's very specific scenario to be stubby and have downstream PI
  2) it won't address customers spoofing each other arbitrarily and
customer1 spoofing as customer2 on the internet, giving large chunk of
the utility of spoofing even with protection in place

How do you maintain that ACL? Why doesn't that same mechanism allow
ingress ACL on the customer port? Your proposal looks low utility for
work needed.


-- 
  ++ytti

• Previous message (by thread): Ingress filtering on transits, peers, and IX ports
• Next message (by thread): Ingress filtering on transits, peers, and IX ports
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]