nanog mailing list archives
Re: Ingress filtering on transits, peers, and IX ports
From: Saku Ytti <saku () ytti fi>
Date: Thu, 15 Oct 2020 17:02:56 +0300
On Thu, 15 Oct 2020 at 15:14, <adamv0025 () netconsultings com> wrote:
Yes one should absolutely do that, but... But considering to become a good netizen what is more work? a) Testing and the enabling uRPF on every customer facing box or setting up precise ACLs on every customer facing port, and then maintaining all that? b) Gathering all your PAs (potentially PIs) (hint: show bgp nei x.x.x.x advertised routes) crafting an ACL and apply it on several peering/transit links? One of them is couple of weeks work and one is an afternoon job.
I am not fan of uRPF, expensive for what it does. But I don't view it as an alternative here, I view it as either adding an ACE on all egresses on egress direction or adding ACE on the ingress where customer is on ingress direction. To me these options seem equally complex but the latter one seems superior. -- ++ytti
Current thread:
- Re: Ingress filtering on transits, peers, and IX ports, (continued)
- Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Bryan Holloway (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Casey Deccio (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Mel Beckman (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Eric Kuhnke (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Casey Deccio (Oct 19)
- Re: Ingress filtering on transits, peers, and IX ports Baldur Norddahl (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Tim Durack (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Nick Hilliard (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Chris Adams (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Tim Durack (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Baldur Norddahl (Oct 15)