nanog mailing list archives
Re: Ingress filtering on transits, peers, and IX ports
From: Matt Harris <matt () netfire net>
Date: Tue, 13 Oct 2020 17:32:54 -0500
Matt Harris|Infrastructure Lead Engineer 816-256-5446|Direct Looking for something? Helpdesk Portal|Email Support|Billing Portal We build and deliver end-to-end IT solutions. On Tue, Oct 13, 2020 at 5:22 PM Mel Beckman <mel () beckman org> wrote:
You can also use Unicast Reverse Path Forwarding. RPF is more efficient than ACLs, and has the added advantage of not requiring maintenance. In a nutshell, if your router has a route to a prefix in its local RIB, then incoming packets from a border interface having a matching source IP will be dropped. RPF has knobs and dials to make it work for various ISP environments. Implement it carefully (as is be standing next to the router involved :
I received one of the aforementioned messages as well, and my response was that perhaps the best overall step towards protection at scale from the issue they raise would be for SPs to implement URPF facing stubby, single-homed networks. This is effectively the low-hanging fruit and doesn't require too much additional labor in terms of maintaining additional ACLs or prefix lists. In the case of multi-homed networks, things are less straight forward, but multi-homed networks make up a minority even if we exclude consumer internet connections. Take care, Matt
Current thread:
- Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 13)
- Re: Ingress filtering on transits, peers, and IX ports Mel Beckman (Oct 13)
- Re: Ingress filtering on transits, peers, and IX ports Matt Harris (Oct 13)
- RE: Ingress filtering on transits, peers, and IX ports Jean St-Laurent via NANOG (Oct 13)
- Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 13)
- Re: Ingress filtering on transits, peers, and IX ports Marcos Manoni (Oct 13)
- Re: Ingress filtering on transits, peers, and IX ports Nikolas Geyer (Oct 13)
- Re: Ingress filtering on transits, peers, and IX ports Brandon Martin (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 14)
- RE: Ingress filtering on transits, peers, and IX ports Jean St-Laurent via NANOG (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 19)
- Re: Ingress filtering on transits, peers, and IX ports Randy Bush (Oct 19)
- Re: Ingress filtering on transits, peers, and IX ports Mel Beckman (Oct 13)