nanog mailing list archives

Re: BCP38/84 and DDoS ACLs


From: joel jaeggli <joelja () bogus com>
Date: Fri, 26 May 2017 17:44:18 -0700

On 5/26/17 10:24, Kody Vicknair wrote:
When I was doing some research in regards to the same subject I ran across this doc. I've found it to be very helpful.

http://nabcop.org/index.php/DDoS-DoS-attack-BCOP
Causally applied RPF checks applied to transit and peer interfaces
especially exchange fabrics have a very high-liklihood of blackholing
traffic you wanted particularly during maintenance if not casually
implemented. A very careful read rfc3704/bcp 84 is a necessary part of
implementing bcp 38 filters.



Kody Vicknair
Network Engineer

Tel:    985.536.1214
Fax:    985.536.0300
Email:  kvicknair () reservetele com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084

_________________________________________________________________________________________________

Disclaimer:
The information transmitted, including attachments, is intended only for the person(s) or entity to which it is 
addressed and may contain confidential and/or privileged material which should not disseminate, distribute or be 
copied. Please notify Kody Vicknair immediately by e-mail if you have received this e-mail by mistake and delete this 
e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Kody Vicknair therefore does 
not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail 
transmission. .

-----Original Message-----
From: NANOG [mailto:nanog-bounces+kvicknair=reservetele.com () nanog org] On Behalf Of Roland Dobbins
Sent: Friday, May 26, 2017 12:20 PM
To: nanog () nanog org
Subject: Re: BCP38/84 and DDoS ACLs


On 26 May 2017, at 22:39, Graham Johnston wrote:

I am looking for information regarding standard ACLs that operators
may be using at the internet edge of their network, on peering and
transit connections,
These .pdf presos may be of interest:

<https://app.box.com/s/ko8lk4vlh1835p36na3u>

<https://app.box.com/s/xznjloitly2apixr5xge>

They talk about iACL and tACL design philosophy.

What traffic you should permit/deny on your network is, of course, situationally-specific.  Depends on what kind of 
network it is, what servers/services/applications/users you have, et. al.  You may need one set of ACLs at the 
peering/transit edge, and other, more specific ACLs, at the IDC distribution gateway, customer aggregation gateway, 
et. al.

-----------------------------------
Roland Dobbins <rdobbins () arbor net>



Attachment: signature.asc
Description: OpenPGP digital signature


Current thread: