nanog mailing list archives
Re: Ingress filtering on transits, peers, and IX ports
From: Tim Durack <tdurack () gmail com>
Date: Thu, 15 Oct 2020 10:49:35 -0400
On Thu, Oct 15, 2020 at 10:30 AM Saku Ytti <saku () ytti fi> wrote:
On Thu, 15 Oct 2020 at 17:22, Tim Durack <tdurack () gmail com> wrote:We deploy urpf strict on all customer end-host and broadband circuits.In this scenario urpf = ingress acl I don't have to think about. But you have to think about what prefixes a customer has. If BGP you need to generate prefix-list, if static you need to generate a static route. As you already have to know and manage this information, what is the incremental cost to also emit an ACL? -- ++ytti
"You might argue that ingress packet acl would be operationally simpler on customer and upstream, as you could cover all scenarios." Although for a static customer urpf is hard to beat... -- Tim:>
Current thread:
- RE: Ingress filtering on transits, peers, and IX ports, (continued)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Tim Durack (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Nick Hilliard (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Chris Adams (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Tim Durack (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Baldur Norddahl (Oct 15)