nanog mailing list archives
Re: Ingress filtering on transits, peers, and IX ports
From: Baldur Norddahl <baldur.norddahl () gmail com>
Date: Thu, 15 Oct 2020 12:56:35 +0200
This is about ingress ACL not egress. tor. 15. okt. 2020 12.00 skrev <adamv0025 () netconsultings com>:
Simple, All stub autonomous systems should have a simple egress ACL allowing only PI of their customers and their own PAs -it’s a simple ACL at each AS-Exit points (towards transits/peers), that’s it. -not sure why this isn’t the first sentence in every BCP and “security bulletin”… adam *From:* NANOG <nanog-bounces+adamv0025=netconsultings.com () nanog org> *On Behalf Of *Baldur Norddahl *Sent:* Thursday, October 15, 2020 8:38 AM *To:* nanog () nanog org *Subject:* Re: Ingress filtering on transits, peers, and IX ports All DNS resolvers discovered on our network belong to customers. Our own resolvers, running unbound, were not discovered. While filtering same AS on ingress could help those customers (but only one was a open relay), filtering bogons is something the customer can also do. Or the software can be fixed. Do we really expect the ISP to implement firewalls instead of customers upgrading software? I also note that apparently our own ISPs (transits) do not filter bogons either. The above is a principal question. I am going to filter bogons, it just is not very high on my long list of stuff to do. Regards Baldur ons. 14. okt. 2020 20.53 skrev Casey Deccio <casey () deccio net>: Hi Bryan,On Oct 14, 2020, at 12:43 PM, Bryan Holloway <bryan () shout net> wrote: I too would like to know more about their methodologyWe've written up our methodology and results in a paper that will be available in a few weeks. Happy to post it here if folks are interested. Obviously, no networks are individually identified; it's all aggregate. Also, we're working on a self-test tool, but it's not quite ready yet. Sorry.and actual tangibles ideally in the form of PCAPs.What do you mean by "tangibles in the form of PCAPs"? Casey
Current thread:
- Re: Ingress filtering on transits, peers, and IX ports, (continued)
- Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Tim Durack (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Saku Ytti (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Nick Hilliard (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Chris Adams (Oct 15)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Tim Durack (Oct 15)
- Re: Ingress filtering on transits, peers, and IX ports Baldur Norddahl (Oct 15)