<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Simple, <o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>All stub autonomous systems should have a simple egress ACL allowing only PI of their customers and their own PAs -it’s a simple ACL at each AS-Exit points (towards transits/peers), that’s it.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>-not sure why this isn’t the first sentence in every BCP and “security bulletin”…<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>adam <o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> NANOG <nanog-bounces+adamv0025=netconsultings.com@nanog.org> <b>On Behalf Of </b>Baldur Norddahl<br><b>Sent:</b> Thursday, October 15, 2020 8:38 AM<br><b>To:</b> nanog@nanog.org<br><b>Subject:</b> Re: Ingress filtering on transits, peers, and IX ports<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>All DNS resolvers discovered on our network belong to customers. Our own resolvers, running unbound, were not discovered. <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>While filtering same AS on ingress could help those customers (but only one was a open relay), filtering bogons is something the customer can also do. Or the software can be fixed. Do we really expect the ISP to implement firewalls instead of customers upgrading software?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I also note that apparently our own ISPs (transits) do not filter bogons either. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The above is a principal question. I am going to filter bogons, it just is not very high on my long list of stuff to do. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Regards <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Baldur <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>ons. 14. okt. 2020 20.53 skrev Casey Deccio <<a href="mailto:casey@deccio.net">casey@deccio.net</a>>:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>Hi Bryan,<br><br>> On Oct 14, 2020, at 12:43 PM, Bryan Holloway <<a href="mailto:bryan@shout.net" target="_blank">bryan@shout.net</a>> wrote:<br>> <br>> I too would like to know more about their methodology<br><br>We've written up our methodology and results in a paper that will be available in a few weeks. Happy to post it here if folks are interested. Obviously, no networks are individually identified; it's all aggregate.<br><br>Also, we're working on a self-test tool, but it's not quite ready yet. Sorry.<br><br>> and actual tangibles ideally in the form of PCAPs.<br><br>What do you mean by "tangibles in the form of PCAPs"?<br><br>Casey<o:p></o:p></p></blockquote></div></div></div></body></html>