[127184] in North American Network Operators' Group
Re: Todd Underwood was a little late
daemon@ATHENA.MIT.EDU (Jon Lewis)
Wed Jun 16 22:43:37 2010
Date: Wed, 16 Jun 2010 22:43:11 -0400 (EDT)
From: Jon Lewis <jlewis@lewis.org>
To: Mark Andrews <marka@isc.org>
In-Reply-To: <201006170207.o5H27XJn065911@drugs.dv.isc.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, 17 Jun 2010, Mark Andrews wrote:
> Why was this traffic hitting your DNS server in the first place? It should
> have been rejected by the ingress filters preventing spoofing of the local
> network.
When I ran a smaller simpler network, I did have input filters on our
transit providers rejecting packets from our IP space. With a larger
network, multiple IP blocks, numerous multihomed customers, some of which
use IP's we've assigned them, it gets a little more complicated to do.
I could reject at our border, packets sourced from our IP ranges with
exceptions for any of the IP blocks we've assigned to multihomed
customers. The ACLs wouldn't be that long, or that hard to maintain. Is
this common practice?
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
