[194724] in North American Network Operators' Group
Re: BCP38/84 and DDoS ACLs
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Fri May 26 13:21:13 2017
X-Original-To: nanog@nanog.org
From: Roland Dobbins <rdobbins@arbor.net>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Sat, 27 May 2017 00:19:34 +0700
In-Reply-To: <82C0CE81789FE64D8F4D15263191829715CD0841@MSG6.westman.int>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 26 May 2017, at 22:39, Graham Johnston wrote:
> I am looking for information regarding standard ACLs that operators
> may be using at the internet edge of their network, on peering and
> transit connections,
These .pdf presos may be of interest:
<https://app.box.com/s/ko8lk4vlh1835p36na3u>
<https://app.box.com/s/xznjloitly2apixr5xge>
They talk about iACL and tACL design philosophy.
What traffic you should permit/deny on your network is, of course,
situationally-specific. Depends on what kind of network it is, what
servers/services/applications/users you have, et. al. You may need one
set of ACLs at the peering/transit edge, and other, more specific ACLs,
at the IDC distribution gateway, customer aggregation gateway, et. al.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
