nanog mailing list archives

Re: Ingress filtering on transits, peers, and IX ports

From: Saku Ytti <saku () ytti fi>
Date: Thu, 15 Oct 2020 13:11:42 +0300

Hey,

All stub autonomous systems should have a simple egress ACL allowing only PI of their customers and their own PAs 
-it’s a simple ACL at each AS-Exit points (towards transits/peers), that’s it.

-not sure why this isn’t the first sentence in every BCP and “security bulletin”…


I will venture a guess.

  1) it's very specific scenario to be stubby and have downstream PI
  2) it won't address customers spoofing each other arbitrarily and
customer1 spoofing as customer2 on the internet, giving large chunk of
the utility of spoofing even with protection in place

How do you maintain that ACL? Why doesn't that same mechanism allow
ingress ACL on the customer port? Your proposal looks low utility for
work needed.


-- 
  ++ytti

Current thread:

Re: Ingress filtering on transits, peers, and IX ports, (continued)
- - - Re: Ingress filtering on transits, peers, and IX ports Casey Deccio (Oct 14)
    - Re: Ingress filtering on transits, peers, and IX ports Mark Andrews (Oct 14)
  - Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 14)
    - Re: Ingress filtering on transits, peers, and IX ports Bryan Holloway (Oct 14)
    - Re: Ingress filtering on transits, peers, and IX ports Casey Deccio (Oct 14)
    - Re: Ingress filtering on transits, peers, and IX ports Mel Beckman (Oct 14)
    - Re: Ingress filtering on transits, peers, and IX ports Eric Kuhnke (Oct 14)
    - Re: Ingress filtering on transits, peers, and IX ports Casey Deccio (Oct 19)
    - Re: Ingress filtering on transits, peers, and IX ports Baldur Norddahl (Oct 15)
    - RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
    - Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
    - RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
    - Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
    - Re: Ingress filtering on transits, peers, and IX ports Tim Durack (Oct 15)
    - Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
    - Re: Ingress filtering on transits, peers, and IX ports Nick Hilliard (Oct 15)
    - RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
    - Re: Ingress filtering on transits, peers, and IX ports Chris Adams (Oct 15)
    - RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
    - Re: Ingress filtering on transits, peers, and IX ports Tim Durack (Oct 15)
    - Re: Ingress filtering on transits, peers, and IX ports Baldur Norddahl (Oct 15)

(Thread continues...)