[102935] in North American Network Operators' Group
Re: Customer-facing ACLs
daemon@ATHENA.MIT.EDU (Mark Tinka)
Sat Mar 8 23:26:02 2008
From: Mark Tinka <mtinka@globaltransit.net>
Reply-To: mtinka@globaltransit.net
To: Justin Shore <justin@justinshore.com>
Date: Sun, 9 Mar 2008 12:24:31 +0800
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <47D19D99.9000408@justinshore.com>
Errors-To: owner-nanog@merit.edu
--nextPart2372033.D9mq3VZOpq
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Saturday 08 March 2008, Justin Shore wrote:
> What kind of customer-facing filtering do you do (ingress
> and egress)? This of course is dependent on the type of
> customer, so lets assume we're talking about an average
> residential customer.
We supply to mid-to-small ISP's mostly, and sizeable=20
enterprise customers; so the degree to which we can filter=20
is limited.
That said, at the edge, we run uRPF on all customer-facing=20
ports (loose or strict, depending on the deployment).
In addition, on each edge router's core-facing uplinks, we=20
run egress ACL's matching RFC 1918 and RFC 3330 (yes, with=20
uRPF downstream to the customers, this might seem=20
redundant, but we've actually seen some 'catches', so it=20
appears to help us solidify our filtering implementation).
In the core, we don't filter or run uRPF, for obvious=20
reasons.
On our border routers, we deploy ingress filters, again,=20
cutting off RFC 1918 and RFC 3330.
On peering routers (private peering and exchange points), we=20
run uRPF on our peering interface (taking care to run loose=20
mode in case private peers also peer at the public exchange=20
point). Again, upstream ACL's are implemented on=20
core-facing uplinks to "double-check".
As you can tell, we don't filter=20
protocols/ports/applications. We leave that to the=20
customer, and insist on it.
All the above goes for IPv6 as well, as appropriate.
We are also quite picky about NLRI filtering (BGP), but=20
that's beyond this scope :-).
Hope this helps.
Cheers,
Mark.
--nextPart2372033.D9mq3VZOpq
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iQIVAwUAR9NmhWcZuYTeKm+GAQKKhA/7B4d5wljvh0u73D/JbD26LHtaad1lXIMY
UlWkvj7xqkAgFVI+64BTgb1+aDHgVSk/hrLeZZ1TIjst7uIul9lpiGn+F+3PRwNl
ojDmwp+T5dBz5NeOvFo6bM5Uhugsr3O5mhcBsmUJrNf4e4X3xAdP9/te4XUREMqZ
ZxvZX90vvFziWsuJ82QL675lSyJq6h+LWoc6f9GJNNQZRS0zLmh0k99BQLrjbmX5
kBY6llPG/qjm1cc2TpZaAARKuWRL0D5vwIJRJ0xm8zfURTAnhnLz/gVoP4DUto67
bdpOAVrm7xq2U4UJy7TFf2PhSpTt6RIuTGR77EMcuScWwDhIRbPK2yfLX4mWc4N+
kTt4+4NpYF0BYOSPMJshNWK6VyepnXRTh9IXMqc47bJn2+X6L6laXOmRK/2kc0uy
jhG8gGe04+iALgxu4SRqDi/KPZ2Gu3/GhHMOWPgghItESnPcROiA6LyXzhrAHrrF
o+jQq05AlFZiLKW9ano1cxtfcsOynrf+URwiWgR5fvdkmTVkcMCgJTGpi8CvlxIA
sz6eUdTzelgUWVg2oMvpygAE+XL8+bV+AHHttM3ll5rHEC/PM5UOjmeZ5ghtFsxh
acfh0pQ/9LKF3RUMQrr/SH2q5ccYazooH9j1Nx1a9eN3QDXlJXaG+LMrUUg5wH6M
EflDQvOXL3E=
=KGx3
-----END PGP SIGNATURE-----
--nextPart2372033.D9mq3VZOpq--
