North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Customer-facing ACLs

  • From: Christopher Morrow
  • Date: Tue Mar 11 14:44:40 2008
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=zxAIZ7OjsHqNRU+9wKMOP+1SPY7b0KJbWPfGAB1ByrQ=; b=YBpWNX5AnbsGDJkNDoiHAaktqiM0bCIxU6+eKCMW7my4tk5qlUkSFBpERIrCLui/MeEbjScrouOZq9vIceNEv5B0dajba0PIEWfl4mHmssJXa1qFjrQadOlk/+7l46svDt9PEgVYGnhqtn7p+Baf4jTkNnF0D9e4omIkepXXeAs=
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UiCa1fNhWDbzL3gctdQYZ+fjTraEXvDR096K5hGqJ3+iJYi6qF5NxNvAvryxxLFPXrt8aL7+j/IfEoVGEJnZtFhGj3DsK+cf5EuQ3LYNEVuMKA9RLGN5gqoxAEKlxFxBZCLKj8W5wrSwWbdoP7XJwvE+gMeYFxQUAU3isJEKIas=

On Tue, Mar 11, 2008 at 2:27 AM, Jo Rhett <[email protected]> wrote:
>  Justin Shore wrote:
>  > I'm assuming everyone uses uRPF at all their edges already so that
>  > eliminates the need for specific ACEs with ingress/egress network
>  > verification checks.
>  ha.  I only wish that was true.
>  We do filter all customer ports for IPs we believe from them, but darn
>  few other providers do.  (as based on my conversations with many
>  providers when tracking down attacks from their networks)
>  That said, we filter nothing else.
>  > Frags are explicitly dropped before any permits.
>  ...?  So you have no real, production sites?

actually... depending upon platform the frags probably get through (on
a cisco) if they are associated with another ongoing session... Cisco
acls believe that frags are 'ok' (even if you deny fragments in the
acl) unless the frag can't be put together with an existing session.
Juniper just drops all frags...