nanog mailing list archives
Re: Customer-facing ACLs
From: "Christopher Morrow" <christopher.morrow () gmail com>
Date: Tue, 11 Mar 2008 14:41:43 -0400
On Tue, Mar 11, 2008 at 2:27 AM, Jo Rhett <jrhett () netconsonance com> wrote:
Justin Shore wrote: > I'm assuming everyone uses uRPF at all their edges already so that > eliminates the need for specific ACEs with ingress/egress network > verification checks. ha. I only wish that was true. We do filter all customer ports for IPs we believe from them, but darn few other providers do. (as based on my conversations with many providers when tracking down attacks from their networks) That said, we filter nothing else. > Frags are explicitly dropped before any permits. ...? So you have no real, production sites?
actually... depending upon platform the frags probably get through (on a cisco) if they are associated with another ongoing session... Cisco acls believe that frags are 'ok' (even if you deny fragments in the acl) unless the frag can't be put together with an existing session. Juniper just drops all frags...
Current thread:
- RE: Customer-facing ACLs, (continued)
- RE: Customer-facing ACLs Frank Bulk (Mar 07)
- Re: Customer-facing ACLs Valdis . Kletnieks (Mar 07)
- Re: Customer-facing ACLs Justin Shore (Mar 07)
- RE: Customer-facing ACLs Tim Sanderson (Mar 07)
- Re: Customer-facing ACLs Dan Armstrong (Mar 07)
- Re: Customer-facing ACLs Justin Shore (Mar 07)
- Re: Customer-facing ACLs Robert Beverly (Mar 07)
- Re: Customer-facing ACLs Danny McPherson (Mar 07)
- Re: Customer-facing ACLs Mark Tinka (Mar 08)
- Re: Customer-facing ACLs Adrian Chadd (Mar 10)
- Re: Customer-facing ACLs Jo Rhett (Mar 10)
- Re: Customer-facing ACLs Christopher Morrow (Mar 11)
- Re: Customer-facing ACLs Scott Weeks (Mar 07)
- Re: Customer-facing ACLs Justin Shore (Mar 07)
- Re: Customer-facing ACLs Dave Pooser (Mar 07)
- Re: Customer-facing ACLs Joel Jaeggli (Mar 07)
- Re: Customer-facing ACLs Justin Shore (Mar 07)
- Re: Customer-facing ACLs Scott Weeks (Mar 07)
- RE: Customer-facing ACLs Carpenter, Jason (Mar 07)
- Re: Customer-facing ACLs Dave Pooser (Mar 07)
- Re: Customer-facing ACLs Andy Dills (Mar 07)
- Re: Customer-facing ACLs Dave Pooser (Mar 07)
- Re: Customer-facing ACLs Mark Foster (Mar 07)