[195629] in North American Network Operators' Group
Re: Cogent BCP-38
daemon@ATHENA.MIT.EDU (Robert Blayzor)
Tue Aug 29 08:41:15 2017
X-Original-To: nanog@nanog.org
From: Robert Blayzor <rblayzor.bulk@inoc.net>
Date: Tue, 29 Aug 2017 08:41:12 -0400
To: NANOG list <nanog@nanog.org>
In-Reply-To: <CAAeewD-xYSy7kGO=3ojM4xcyyKAUSO=bPa-C4=D_8AqMQ9_G=g@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
> On 29 August 2017 at 03:38, Robert Blayzor <rblayzor.bulk@inoc.net> =
wrote:
>=20
>> Well not completely useless. BCP will still drop BOGONs at the edge =
before they leak into your network.
>=20
> Assuming you don't use them in your own infra. And cost of RPF is lot
> higher than cost of ACL. Them being entirely static entities they
> should be in your edgeACL. The only real justification for loose RPF
> is source based blackholing.
>=20
> --=20
> ++ytti
Well, if you are using public IP addresses for infra you are violating =
your RIR=E2=80=99s policy more than likely. And if you=E2=80=99re using =
RFC1918 space in your global routing table, then thats another fiasco =
you=E2=80=99ll have to deal with. Managing ACL=E2=80=99s for customer =
routes has far more overhead (and cost, ie: time, human error, etc) than =
to just use RPF on an edge port. I believe the OP was talking about =
multi-homed, in that case if run a tight ship in your network RPF loose =
is probably a good choice. It at least gives you an easy way to not =
accept total trash at the edge.=20
--
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP: https://inoc.net/~rblayzor/
