Ingress filtering on transits, peers, and IX ports

• Previous message (by thread): Ingress filtering on transits, peers, and IX ports
• Next message (by thread): Ingress filtering on transits, peers, and IX ports
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 15 Oct 2020 at 15:14, <adamv0025 at netconsultings.com> wrote:


> Yes one should absolutely do that, but...
> But considering to become a good netizen what is more work?
> a) Testing and the enabling uRPF on every customer facing box or setting up precise ACLs on every customer facing port, and then maintaining all that?
> b) Gathering  all your PAs (potentially PIs) (hint: show bgp nei x.x.x.x advertised routes) crafting an ACL and apply it on several peering/transit links?
> One of them is couple of weeks work and one is an afternoon job.

I am not fan of uRPF, expensive for what it does. But I don't view it
as an alternative here, I view it as either adding an ACE on all
egresses on egress direction or adding ACE on the ingress where
customer is on ingress direction.

To me these options seem equally complex but the latter one seems superior.

-- 
  ++ytti

• Previous message (by thread): Ingress filtering on transits, peers, and IX ports
• Next message (by thread): Ingress filtering on transits, peers, and IX ports
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]