nanog mailing list archives
RE: Ingress filtering on transits, peers, and IX ports
From: <adamv0025 () netconsultings com>
Date: Thu, 15 Oct 2020 13:14:48 +0100
From: Saku Ytti <saku () ytti fi> Sent: Thursday, October 15, 2020 11:12 AM Hey,
Hey Saku,
All stub autonomous systems should have a simple egress ACL allowingonly PI of their customers and their own PAs -it’s a simple ACL at each AS-Exit points (towards transits/peers), that’s it.-not sure why this isn’t the first sentence in every BCP and “security bulletin”…I will venture a guess. 1) it's very specific scenario to be stubby and have downstream PI
Yes it is and in most cases it's about "I have these few /XYs from which I address my customers (eyeballs) so nothing outside of these should ever leave my AS" -as simple as that.
2) it won't address customers spoofing each other arbitrarily and customer1 spoofing as customer2 on the internet, giving large chunk of the utility of spoofing even with protection in place
Yes its not 100% effective as you pointed out, However if every stub AS implemented this egress ACL on the few of their transit/peering links, there would be a lot less inter-AS garbage floating around.
How do you maintain that ACL?
Well you're gonna update the ACL every time you acquire a new PA space (every now and then), or when another customer wants you route their PI (rare, simply cause you're a stub AS with mostly eyeballs). It's one ACL you need to update on every box with AS-exit links -usually there are not that many in a stub-AS.
Why doesn't that same mechanism allow ingress ACL on the customer port? Your proposal looks low utility for work needed.
Yes one should absolutely do that, but... But considering to become a good netizen what is more work? a) Testing and the enabling uRPF on every customer facing box or setting up precise ACLs on every customer facing port, and then maintaining all that? b) Gathering all your PAs (potentially PIs) (hint: show bgp nei x.x.x.x advertised routes) crafting an ACL and apply it on several peering/transit links? One of them is couple of weeks work and one is an afternoon job. adam
Current thread:
- Re: Ingress filtering on transits, peers, and IX ports, (continued)
- Re: Ingress filtering on transits, peers, and IX ports Mark Andrews (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Bryan Holloway (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Casey Deccio (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Mel Beckman (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Eric Kuhnke (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Casey Deccio (Oct 19)
- Re: Ingress filtering on transits, peers, and IX ports Baldur Norddahl (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Tim Durack (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Nick Hilliard (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Chris Adams (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Tim Durack (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Baldur Norddahl (Oct 15)