[c-nsp] Inbound ACL for ISP - Filtering own routes on ingress?
Larry Smith
lesmith at ecsis.net
Wed Jun 22 12:20:45 EDT 2005
On Wednesday 22 June 2005 11:11, Michael Smith wrote:
> Hello All:
>
> There was a discussion on NANOG about this and I would like to hear
> others' responses to the following. We used to filter our netblocks
> on ingress from our transit and peering connections. So, if you
> tried to come into our network from one of our addresses the
> assumption was you were a miscreant spoofing an internal address.
>
> However, one of our downstream customers is doing some "fancy" BGP
> work such that he prefers another provider to get from one IP on our
> network to another IP on our network. So, rather than go through us,
> it goes out through the Internet and comes back in via one of my
> upstreams. d
>
> Needless to say, our ACL's broke him. I explained our position,
> referencing many security resources that show that configuration but
> he felt it was his right to route however he wished and we were being
> unnecessarily strict in our filtering.
>
> Be it that he is a paying customer that actually pays, we rolled over
> and removed the ACL. So, did we do the right thing? The wrong
> thing? A necessary evil? Is there another way to approach the problem?
>
> Thanks in advance,
>
I have a similar situation - and decided it was "better" (my concept of
better) and easier to add an exclusion for the IP that needed to come in from
"outside" and ACL everything else rather than remove the acl's entirely....
--
Larry Smith
SysAd ECSIS.NET
sysad at ecsis.net
More information about the cisco-nsp
mailing list