nanog mailing list archives
Re: Todd Underwood was a little late
From: Jon Lewis <jlewis () lewis org>
Date: Wed, 16 Jun 2010 22:43:11 -0400 (EDT)
On Thu, 17 Jun 2010, Mark Andrews wrote:
Why was this traffic hitting your DNS server in the first place? It should have been rejected by the ingress filters preventing spoofing of the local network.
When I ran a smaller simpler network, I did have input filters on our transit providers rejecting packets from our IP space. With a larger network, multiple IP blocks, numerous multihomed customers, some of which use IP's we've assigned them, it gets a little more complicated to do.
I could reject at our border, packets sourced from our IP ranges with exceptions for any of the IP blocks we've assigned to multihomed customers. The ACLs wouldn't be that long, or that hard to maintain. Is this common practice?
---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Current thread:
- Todd Underwood was a little late Jon Lewis (Jun 16)
- Re: Todd Underwood was a little late Mark Andrews (Jun 16)
- Re: Todd Underwood was a little late Jon Lewis (Jun 16)
- Re: Todd Underwood was a little late Mark Andrews (Jun 16)
- Re: Todd Underwood was a little late Roy (Jun 16)
- Re: Todd Underwood was a little late Garrett Skjelstad (Jun 16)
- Re: Todd Underwood was a little late Brian Feeny (Jun 17)
- Re: Todd Underwood was a little late William Herrin (Jun 17)
- Re: Todd Underwood was a little late Steve Bertrand (Jun 18)
- Re: Todd Underwood was a little late Chris Adams (Jun 18)
- Re: Todd Underwood was a little late Steve Bertrand (Jun 18)
- Re: Todd Underwood was a little late William Herrin (Jun 18)
- Re: Todd Underwood was a little late Steve Bertrand (Jun 18)
- Re: Todd Underwood was a little late Jon Lewis (Jun 16)
- Re: Todd Underwood was a little late Mark Andrews (Jun 16)