Ingress filtering on transits, peers, and IX ports

• Previous message (by thread): Ingress filtering on transits, peers, and IX ports
• Next message (by thread): Ingress filtering on transits, peers, and IX ports
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is about ingress ACL not egress.

tor. 15. okt. 2020 12.00 skrev <adamv0025 at netconsultings.com>:

> Simple,
>
> All stub autonomous systems should have a simple egress ACL allowing only
> PI of their customers and their own PAs -it’s a simple ACL at each AS-Exit
> points (towards transits/peers), that’s it.
>
> -not sure why this isn’t the first sentence in every BCP and “security
> bulletin”…
>
>
>
>
>
> adam
>
>
>
> *From:* NANOG <nanog-bounces+adamv0025=netconsultings.com at nanog.org> *On
> Behalf Of *Baldur Norddahl
> *Sent:* Thursday, October 15, 2020 8:38 AM
> *To:* nanog at nanog.org
> *Subject:* Re: Ingress filtering on transits, peers, and IX ports
>
>
>
> All DNS resolvers discovered on our network belong to customers. Our own
> resolvers, running unbound, were not discovered.
>
>
>
> While filtering same AS on ingress could help those customers (but only
> one was a open relay), filtering bogons is something the customer can also
> do. Or the software can be fixed. Do we really expect the ISP to implement
> firewalls instead of customers upgrading software?
>
>
>
> I also note that apparently our own ISPs (transits) do not filter bogons
> either.
>
>
>
> The above is a principal question. I am going to filter bogons, it just is
> not very high on my long list of stuff to do.
>
>
>
> Regards
>
>
>
> Baldur
>
>
>
>
>
> ons. 14. okt. 2020 20.53 skrev Casey Deccio <casey at deccio.net>:
>
> Hi Bryan,
>
> > On Oct 14, 2020, at 12:43 PM, Bryan Holloway <bryan at shout.net> wrote:
> >
> > I too would like to know more about their methodology
>
> We've written up our methodology and results in a paper that will be
> available in a few weeks.  Happy to post it here if folks are interested.
> Obviously, no networks are individually identified; it's all aggregate.
>
> Also, we're working on a self-test tool, but it's not quite ready yet.
> Sorry.
>
> > and actual tangibles ideally in the form of PCAPs.
>
> What do you mean by "tangibles in the form of PCAPs"?
>
> Casey
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20201015/9717dc2a/attachment.html>

• Previous message (by thread): Ingress filtering on transits, peers, and IX ports
• Next message (by thread): Ingress filtering on transits, peers, and IX ports
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]