[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tier 2 ingress filtering

See below

Jared Mauch

On Mar 28, 2013, at 5:04 PM, Jimmy Hess <mysidia at gmail.com> wrote:

> Ingress source addresses should optimally ideally be filtered at
> turnup  to the list of authorized prefixes,  if uRPF cannot be
> implemented  (uRPF is convenient, but not necessarily necessary to
> implement ingress filtering),  then access list based on source
> address,  even the nearly oldest of the most ghetto equipment should
> be offering basic ACL functions.

Not everything can do acls at scale. Not all customers have anything reflecting symmetric routing creating a problem in the capabilities in the equipment working as desired. 

Many customers honestly don't know how their things work or think they work in ways that are not fully accurate. You get lots of default pointing even when they run BGP. Lots of people update prefix lists as a last resort vs proactively. Nobody removes things, making it hard. Automation of systems is also hard. Not impossible, but hard. I'm hoping some of the SDN marketing becomes reality when it comes to managing these configs. 

Maybe I will be able to have urpf work with my rpki and sdn.