Re: Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot)

["E.B. Dreger" <eddy+public+spam () noc everquick net>]

> Date: Tue, 09 Oct 2001 07:58:19 -0700
> From: Grant A. Kirkwood <grant () virtical net>

> I'm currently in the process of setting up a new border router,
> and the recent debate on the above topic got me wondering what
> the best practice filtering policy is? Is there one?

> And what do people put in place in terms of anti-spoofing ACLs
> and such?  There's a wealth of information on these topics, but
> no real consensus.

+ If you're running BGP, filter your as-paths and netblocks to
  avoid any unwanted redistribution.  This is always a bad thing,
  and long as-paths don't necessarily rule out a path being
  taken; remember that local-pref overrides as-path length.

  If it's an edge router, you needn't worry too much about prefix
  length -- they're already filtered for you.

+ You want to prevent forged outbound packets.  They have no
  valid[1] use, and forged packets make tracing DoS attacks a
  pain.

  [1] I recall hearing that some satellite downlink Web service
  required the ability to send packets from their netblock.
  However, you can selectively allow these, as you would you own
  netblock.

+ Disallow 10/8, 172.16/12, and 192.168/16 -- no need for them to
  go anywhere.


Eddy

---------------------------------------------------------------------------
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
---------------------------------------------------------------------------

Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist () brics com>
To: blacklist () brics com
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <blacklist () brics com>, or you are likely to be blocked.