nanog mailing list archives
Re: Customer-facing ACLs
From: Mark Tinka <mtinka () globaltransit net>
Date: Sun, 9 Mar 2008 12:24:31 +0800
On Saturday 08 March 2008, Justin Shore wrote:
What kind of customer-facing filtering do you do (ingress and egress)? This of course is dependent on the type of customer, so lets assume we're talking about an average residential customer.
We supply to mid-to-small ISP's mostly, and sizeable enterprise customers; so the degree to which we can filter is limited. That said, at the edge, we run uRPF on all customer-facing ports (loose or strict, depending on the deployment). In addition, on each edge router's core-facing uplinks, we run egress ACL's matching RFC 1918 and RFC 3330 (yes, with uRPF downstream to the customers, this might seem redundant, but we've actually seen some 'catches', so it appears to help us solidify our filtering implementation). In the core, we don't filter or run uRPF, for obvious reasons. On our border routers, we deploy ingress filters, again, cutting off RFC 1918 and RFC 3330. On peering routers (private peering and exchange points), we run uRPF on our peering interface (taking care to run loose mode in case private peers also peer at the public exchange point). Again, upstream ACL's are implemented on core-facing uplinks to "double-check". As you can tell, we don't filter protocols/ports/applications. We leave that to the customer, and insist on it. All the above goes for IPv6 as well, as appropriate. We are also quite picky about NLRI filtering (BGP), but that's beyond this scope :-). Hope this helps. Cheers, Mark.
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Customer-facing ACLs Justin Shore (Mar 07)
- Re: Customer-facing ACLs Justin M. Streiner (Mar 07)
- Re: Customer-facing ACLs Kameron Gasso (Mar 07)
- RE: Customer-facing ACLs Frank Bulk (Mar 07)
- Re: Customer-facing ACLs Kameron Gasso (Mar 07)
- Re: Customer-facing ACLs Valdis . Kletnieks (Mar 07)
- Re: Customer-facing ACLs Justin Shore (Mar 07)
- RE: Customer-facing ACLs Tim Sanderson (Mar 07)
- Re: Customer-facing ACLs Dan Armstrong (Mar 07)
- Re: Customer-facing ACLs Justin Shore (Mar 07)
- Re: Customer-facing ACLs Robert Beverly (Mar 07)
- Re: Customer-facing ACLs Danny McPherson (Mar 07)
- Re: Customer-facing ACLs Mark Tinka (Mar 08)
- Re: Customer-facing ACLs Adrian Chadd (Mar 10)
- Re: Customer-facing ACLs Jo Rhett (Mar 10)
- Re: Customer-facing ACLs Christopher Morrow (Mar 11)
- <Possible follow-ups>
- Re: Customer-facing ACLs Scott Weeks (Mar 07)
- Re: Customer-facing ACLs Justin Shore (Mar 07)
- Re: Customer-facing ACLs Dave Pooser (Mar 07)
- Re: Customer-facing ACLs Joel Jaeggli (Mar 07)
- Re: Customer-facing ACLs Justin Shore (Mar 07)
- Re: Customer-facing ACLs Justin M. Streiner (Mar 07)
- Re: Customer-facing ACLs Scott Weeks (Mar 07)
- RE: Customer-facing ACLs Carpenter, Jason (Mar 07)
- Re: Customer-facing ACLs Dave Pooser (Mar 07)