[161983] in North American Network Operators' Group
Re: Tier 2 ingress filtering
daemon@ATHENA.MIT.EDU (Saku Ytti)
Sat Mar 30 09:33:04 2013
Date: Sat, 30 Mar 2013 15:32:46 +0200
From: Saku Ytti <saku@ytti.fi>
To: nanog@nanog.org
In-Reply-To: <515589B3.5070709@fud.no>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On (2013-03-29 13:31 +0100), Tore Anderson wrote:
> I've had some problems with my upstream providers' ingress filtering,
> for example:
That sounds like uRPF, which you should not run towards your transit
customers.
I'm talking only about using ACL. And I stand-by that I've never had to fix
something that is broken.
Now naturally it has happened that my customer has gotten new prefix, and
things have been wonky, because they forgot to make route object, which
meant we didn't allow prefix nor allow it in ACL.
However, I think my customers prefer this. The alternative is that
everything works fine for 6month, until the other transit who does not BGP
filter goes down, after which the network stops propagating and everything
is down. At least with ACL you notice the problem immediately.
--
++ytti
