North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Filtering Best Practices, et al (Was Verio Peering, Gordon'sKnot)
> Date: Tue, 09 Oct 2001 07:58:19 -0700 > From: Grant A. Kirkwood <[email protected]> > I'm currently in the process of setting up a new border router, > and the recent debate on the above topic got me wondering what > the best practice filtering policy is? Is there one? > And what do people put in place in terms of anti-spoofing ACLs > and such? There's a wealth of information on these topics, but > no real consensus. + If you're running BGP, filter your as-paths and netblocks to avoid any unwanted redistribution. This is always a bad thing, and long as-paths don't necessarily rule out a path being taken; remember that local-pref overrides as-path length. If it's an edge router, you needn't worry too much about prefix length -- they're already filtered for you. + You want to prevent forged outbound packets. They have no valid[1] use, and forged packets make tracing DoS attacks a pain. [1] I recall hearing that some satellite downlink Web service required the ability to send packets from their netblock. However, you can selectively allow these, as you would you own netblock. + Disallow 10/8, 172.16/12, and 192.168/16 -- no need for them to go anywhere. Eddy --------------------------------------------------------------------------- Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence --------------------------------------------------------------------------- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <[email protected]> To: [email protected] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <[email protected]>, or you are likely to be blocked.
|