nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Ingress filtering on transits, peers, and IX ports

From: <adamv0025 () netconsultings com>
Date: Thu, 15 Oct 2020 15:46:23 +0100
From: Saku Ytti <saku () ytti fi>
Sent: Thursday, October 15, 2020 3:30 PM

On Thu, 15 Oct 2020 at 17:22, Tim Durack <tdurack () gmail com> wrote:



We deploy urpf strict on all customer end-host and broadband circuits. In

this scenario urpf = ingress acl I don't have to think about.

But you have to think about what prefixes a customer has. If BGP you need
to generate prefix-list, if static you need to generate a static route. As you
already have to know and manage this information, what is the incremental
cost to also emit an ACL?


Actually ideally there would be a feature/knob to automatically sync BGP (and static routes) with packet filters.

adam
Previous By Date Next
Previous By Thread Next

Current thread: