Sent from my iPhone
> On May 27, 2020, at 14:21, Ron Bonica <[email protected]> > wrote: > > > Folks, > > Does anybody know of a document that provides general recommendations for > ACL’s to be implemented on service provider edge nodes? > I would suspect the to be substantial variation on what people consider acceptable to drop but a highly limited number of things that everyone would consider acceptable. By in large if you’re a transit provider your customers are paying for unmolested internet. Some folks have ntp rate limits baked into their input acls due to mon_getlist that would be good to unbake. At this point you could probably recomend policy that would prevent the legacy issues but it’s also likely to be controversial Protection of infrastructure space is a substantial portion of Edge acls I’ve implemented. RFC 6192 policies writ large E.g. overlap with control plane acl figure prominently there. BCP 38 and 84 are things that notionally get applied to customer facing edges hopefully not strict when dealing with multi homed networks. Martian filters again bcp 84 but also bcp 171 and RFC 5735 are things that appear in input acls. Sometimes these are implemented as null routes from bgp route reflectors or contributed protocols rather than ACLs. > > Ron > > > Juniper Business Use Only > _______________________________________________ > OPSEC mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsec
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
