[161953] in North American Network Operators' Group
Re: Tier 2 ingress filtering
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Mar 28 21:37:09 2013
In-Reply-To: <CAAAwwbXj7JtS2aAzNdk59L0gZSR8y04DWRaghKzmBY4RBFFRMw@mail.gmail.com>
From: Jared Mauch <jared@puck.nether.net>
Date: Thu, 28 Mar 2013 18:36:53 -0700
To: Jimmy Hess <mysidia@gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
See below
Jared Mauch
On Mar 28, 2013, at 5:04 PM, Jimmy Hess <mysidia@gmail.com> wrote:
> Ingress source addresses should optimally ideally be filtered at
> turnup to the list of authorized prefixes, if uRPF cannot be
> implemented (uRPF is convenient, but not necessarily necessary to
> implement ingress filtering), then access list based on source
> address, even the nearly oldest of the most ghetto equipment should
> be offering basic ACL functions.
Not everything can do acls at scale. Not all customers have anything reflect=
ing symmetric routing creating a problem in the capabilities in the equipmen=
t working as desired.=20
Many customers honestly don't know how their things work or think they work i=
n ways that are not fully accurate. You get lots of default pointing even wh=
en they run BGP. Lots of people update prefix lists as a last resort vs proa=
ctively. Nobody removes things, making it hard. Automation of systems is als=
o hard. Not impossible, but hard. I'm hoping some of the SDN marketing becom=
es reality when it comes to managing these configs.=20
Maybe I will be able to have urpf work with my rpki and sdn.=20=
