Justin Shore wrote:
I'm assuming everyone uses uRPF at all their edges already so that
eliminates the need for specific ACEs with ingress/egress network
verification checks.
ha. I only wish that was true.
We do filter all customer ports for IPs we believe from them, but darn
few other providers do. (as based on my conversations with many
providers when tracking down attacks from their networks)
That said, we filter nothing else.
Frags are explicitly dropped before any permits.
...? So you have no real, production sites?