[12586] in North American Network Operators' Group
Re: Packets from net 10 (no, not the lyrics)
daemon@ATHENA.MIT.EDU (John A. Tamplin)
Tue Sep 23 18:05:40 1997
Date: Tue, 23 Sep 1997 16:59:58 -0500 (CDT)
From: "John A. Tamplin" <jat@traveller.com>
To: nanog@merit.edu
In-Reply-To: <Pine.SGI.3.91.970923164418.11281X-100000@optical>
On Tue, 23 Sep 1997, Todd R. Stroup wrote:
> > Maybe I am missing something, but we use an inbound access list on all
> > external links that eliminates IP address spoofing, as well as some basic
> > security issues (blocking NFS, r* commands, etc just in case some machine
> > inside is misconfigured). If you have an inbound access list that filters
> > based on the source address already, why would you not add the private
> > addresses to that?
>
> This is sort of a different issue.. you are filtering IP not routes. If
> you peer with someone that is sending you 10/8 even though you have it
> filtered on the inbound of your interface (which is good for CPU) you will
> still have a route injected into your route tables which could be
> bad. Why not destroy the bad routes before they get to your routing
> table?
I guess I was referring to those comments in this thread suggesting that
instead of using inbound access filters, which cause CPU performance issues,
instead routes should be generated to null0 (which from my understanding it
is still process switched). Perhaps my choice of message to quote was poor,
but my point is that it seems like you need an ACL on every incoming link
regardless, and you need a filter list on every BGP peer regardless, so why
not put checks in both? I wouldn't think that, given that you need an access
list, adding a few more entries is going to significantly impact performance.
John Tamplin Traveller Information Services
jat@Traveller.COM 2104 West Ferry Way
205/883-4233x7007 Huntsville, AL 35801
