[c-nsp] Inbound ACL for ISP - Filtering own routes on ingress?
Michael Smith
mksmith.lists at gmail.com
Wed Jun 22 12:11:42 EDT 2005
Hello All:
There was a discussion on NANOG about this and I would like to hear
others' responses to the following. We used to filter our netblocks
on ingress from our transit and peering connections. So, if you
tried to come into our network from one of our addresses the
assumption was you were a miscreant spoofing an internal address.
However, one of our downstream customers is doing some "fancy" BGP
work such that he prefers another provider to get from one IP on our
network to another IP on our network. So, rather than go through us,
it goes out through the Internet and comes back in via one of my
upstreams. d
Needless to say, our ACL's broke him. I explained our position,
referencing many security resources that show that configuration but
he felt it was his right to route however he wished and we were being
unnecessarily strict in our filtering.
Be it that he is a paying customer that actually pays, we rolled over
and removed the ACL. So, did we do the right thing? The wrong
thing? A necessary evil? Is there another way to approach the problem?
Thanks in advance,
Mike
More information about the cisco-nsp
mailing list