[183215] in North American Network Operators' Group
Re: Peering + Transit Circuits
daemon@ATHENA.MIT.EDU (Baldur Norddahl)
Tue Aug 18 19:07:03 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <CAE_ug143GsMN3+CNz=AgTr+xjGWY2CrmXYW=jf36JQ3AAnukFw@mail.gmail.com>
Date: Wed, 19 Aug 2015 01:02:16 +0200
From: Baldur Norddahl <baldur.norddahl@gmail.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On 18 August 2015 at 14:29, Tim Durack <tdurack@gmail.com> wrote:
> 4. Don't worry about peers stealing transit.
>
Because both of our transit providers implement source filters. Any packets
received with a source IP not in the list of IP ranges registered by us
will be dropped by the transit provider. Stealing transit is not practical
giving the limitation that you need to use a source address from our ranges.
I use ACLs on our end too just to be sure. ACL on the transit to prevent
wrong source from leaving our network and ACL on the peering to prevent
wrong destination to enter the network. Actually both ACLs are used in both
places.
The prefix lists used for the ACL need to be maintained in any case. It is
the list of routes that we advertise.
Regards,
Baldur
