uPRF strict more

• Previous message (by thread): uPRF strict more
• Next message (by thread): uPRF strict more
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/29/2021 9:27 AM, Mark Tinka wrote:
>
> On 9/29/21 16:21, Blake Hudson wrote:
>> I do not use uRPF on upstream/transit/IX links or with multi-homed 
>> customers - or anywhere else where traffic could be asymmetrical; I 
>> prefer to use stateless ACLs at these locations.
>
> On peering and transit routers, on ports facing the remote side, we 
> apply ACL's to drop traffic inbound from reserved space, as well as 
> our own (as we shouldn't see it coming in from the outside).
>
> It's amazing how many matches we see, for all space, both IPv4 and 
> IPv6. Tells just how open some of the "major" networks are :-).

Ditto. And ditto.

Extended IP access list ACL-TRANSIT-IN
     ...
     160 deny ip host 0.0.0.0 any
     170 deny ip 127.0.0.0 0.255.255.255 any
     180 deny ip 224.0.0.0 15.255.255.255 any
     190 deny ip 240.0.0.0 15.255.255.255 any
     200 deny ip 10.0.0.0 0.255.255.255 any (91057035 matches)
     210 deny ip 172.16.0.0 0.15.255.255 any (1366408 matches)
     220 deny ip 192.168.0.0 0.0.255.255 any (18325538 matches)
     230 deny ip 169.254.0.0 0.0.255.255 any (146523 matches)
     ...

• Previous message (by thread): uPRF strict more
• Next message (by thread): uPRF strict more
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]