Ingress filtering on transits, peers, and IX ports

• Previous message (by thread): Ingress filtering on transits, peers, and IX ports
• Next message (by thread): Ingress filtering on transits, peers, and IX ports
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 15, 2020 at 10:30 AM Saku Ytti <saku at ytti.fi> wrote:

> On Thu, 15 Oct 2020 at 17:22, Tim Durack <tdurack at gmail.com> wrote:
>
>
> > We deploy urpf strict on all customer end-host and broadband circuits.
> In this scenario urpf = ingress acl I don't have to think about.
>
> But you have to think about what prefixes a customer has. If BGP you
> need to generate prefix-list, if static you need to generate a static
> route. As you already have to know and manage this information, what
> is the incremental cost to also emit an ACL?
>
> --
>   ++ytti
>

"You might argue that ingress packet acl would be operationally simpler on
customer and upstream, as you could cover all scenarios."

Although for a static customer urpf is hard to beat...

-- 
Tim:>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20201015/f153734f/attachment.html>

• Previous message (by thread): Ingress filtering on transits, peers, and IX ports
• Next message (by thread): Ingress filtering on transits, peers, and IX ports
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]