[127188] in North American Network Operators' Group
Re: Todd Underwood was a little late
daemon@ATHENA.MIT.EDU (Garrett Skjelstad)
Thu Jun 17 01:07:22 2010
In-Reply-To: <4C19A6D2.6030603@gmail.com>
Date: Wed, 16 Jun 2010 22:07:10 -0700
From: Garrett Skjelstad <garrett@skjelstad.org>
To: Roy <r.engehausen@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
RFC 2827 anyone?
On Wed, Jun 16, 2010 at 9:38 PM, Roy <r.engehausen@gmail.com> wrote:
> On 6/16/2010 7:43 PM, Jon Lewis wrote:
>
>> On Thu, 17 Jun 2010, Mark Andrews wrote:
>>
>> Why was this traffic hitting your DNS server in the first place? It
>>> should
>>> have been rejected by the ingress filters preventing spoofing of the
>>> local
>>> network.
>>>
>>
>> When I ran a smaller simpler network, I did have input filters on our
>> transit providers rejecting packets from our IP space. With a larger
>> network, multiple IP blocks, numerous multihomed customers, some of which
>> use IP's we've assigned them, it gets a little more complicated to do.
>>
>> I could reject at our border, packets sourced from our IP ranges with
>> exceptions for any of the IP blocks we've assigned to multihomed customers.
>> The ACLs wouldn't be that long, or that hard to maintain. Is this common
>> practice?
>>
>> -
>>
>
> Sounds like a good use of URPF.
>
>
>
