nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Incoming SSDP UDP 1900 filtering

From: Bryan Holloway <bryan () shout net>
Date: Mon, 25 Mar 2019 11:26:25 -0500
On 3/25/19 9:08 AM, Tom Beecher wrote:
If your edge ingress ACLs are not 100% in sync all the time, you will inevitably have Really Weird Stuff happen that will end up taking forever to diagnose.
You will eventually end up closing off a port that something else needs to work properly, and now you have to figure out how to resolve that.
Packet filtering is more computationally taxing than just routing is. Your edge equipment is likely going to be built for maximum routing efficiency. Trying to bite off too much filtering there increases your risk of legit traffic being tossed on the floor.
Not necessarily disagreeing with your posits here, but, empirically speaking, we've had ACLs for stuff like this for years without any incidents or consternation.
And we are careful to ensure that any updates are pushed to all edge ingresses.
On Mon, Mar 25, 2019 at 6:41 AM Tom Hill <tom () ninjabadger net <mailto:tom () ninjabadger net>> wrote: 

    On 25/03/2019 09:17, Sean Donelan wrote:
     > Its always a bad idea to do packet filtering at your bgp border.


    Wild assertion. Why?

    DoS mitigation, iACLs, BGP security... I can think of lots of very
    sensible reasons.
-- Tom
Previous By Date Next
Previous By Thread Next

Current thread: