[102982] in North American Network Operators' Group
Re: Customer-facing ACLs
daemon@ATHENA.MIT.EDU (Jo Rhett)
Tue Mar 11 02:33:49 2008
Date: Mon, 10 Mar 2008 23:27:23 -0700
From: Jo Rhett <jrhett@netconsonance.com>
To: Justin Shore <justin@justinshore.com>
CC: NANOG <nanog@merit.edu>
In-Reply-To: <47D19D99.9000408@justinshore.com>
Errors-To: owner-nanog@merit.edu
Justin Shore wrote:
> I'm assuming everyone uses uRPF at all their edges already so that
> eliminates the need for specific ACEs with ingress/egress network
> verification checks.
ha. I only wish that was true.
We do filter all customer ports for IPs we believe from them, but darn
few other providers do. (as based on my conversations with many
providers when tracking down attacks from their networks)
That said, we filter nothing else.
> Frags are explicitly dropped before any permits.
...? So you have no real, production sites?
