[157735] in North American Network Operators' Group
Re: p2p addresses for point-to-point connections with customers
daemon@ATHENA.MIT.EDU (Tassos Chatzithomaoglou)
Tue Nov 6 07:31:29 2012
Date: Tue, 06 Nov 2012 14:31:12 +0200
From: Tassos Chatzithomaoglou <achatz@forthnetgroup.gr>
To: "Dobbins, Roland" <rdobbins@arbor.net>
In-Reply-To: <7B5C1FA0-1F62-4F84-AB4A-533FDDB1FF7D@arbor.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Having an iACL format like below, that means that i would have to add at least one extra "permit" entry before the
spoofing entries.
deny MARTIANS/BOGONS
deny SPOOFING
deny PROTOCOLS/PORTS
permit BGP-PEERINGS
permit TUNNELS
deny INFRASTRUCTURE
permit ANY
If that's indeed the case, what non-routing protocols do you allow from/to these type of addresses?
Only specific types of icmp messages?
--
Tassos
Dobbins, Roland wrote on 06/11/2012 14:05:
> On Nov 6, 2012, at 6:32 PM, Tassos Chatzithomaoglou wrote:
>
>> Do you filter them on your border routers (via iACLs)
> Yes.
>
>> and if yes, how?
> The same way you filter any other interface addresses in your iACLs.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>
> Luck is the residue of opportunity and design.
>
> -- John Milton
>
