nanog mailing list archives
Re: Tier 2 ingress filtering
From: Jared Mauch <jared () puck nether net>
Date: Thu, 28 Mar 2013 18:36:53 -0700
See below Jared Mauch On Mar 28, 2013, at 5:04 PM, Jimmy Hess <mysidia () gmail com> wrote:
Ingress source addresses should optimally ideally be filtered at turnup to the list of authorized prefixes, if uRPF cannot be implemented (uRPF is convenient, but not necessarily necessary to implement ingress filtering), then access list based on source address, even the nearly oldest of the most ghetto equipment should be offering basic ACL functions.
Not everything can do acls at scale. Not all customers have anything reflecting symmetric routing creating a problem in the capabilities in the equipment working as desired. Many customers honestly don't know how their things work or think they work in ways that are not fully accurate. You get lots of default pointing even when they run BGP. Lots of people update prefix lists as a last resort vs proactively. Nobody removes things, making it hard. Automation of systems is also hard. Not impossible, but hard. I'm hoping some of the SDN marketing becomes reality when it comes to managing these configs. Maybe I will be able to have urpf work with my rpki and sdn.
Current thread:
- Re: Tier 2 ingress filtering, (continued)
- Re: Tier 2 ingress filtering Saku Ytti (Mar 28)
- Re: Tier 2 ingress filtering Jeff Kell (Mar 28)
- Re: Tier 2 ingress filtering Tore Anderson (Mar 29)
- Re: Tier 2 ingress filtering William Herrin (Mar 29)
- Re: Tier 2 ingress filtering Patrick (Mar 29)
- Re: Tier 2 ingress filtering Alejandro Acosta (Mar 29)
- Re: Tier 2 ingress filtering William Herrin (Mar 29)
- Re: Tier 2 ingress filtering Alejandro Acosta (Mar 30)
- Re: Tier 2 ingress filtering Saku Ytti (Mar 30)
- Re: Tier 2 ingress filtering Jared Mauch (Mar 28)
- Re: Tier 2 ingress filtering - folo Saku Ytti (Mar 30)