[c-nsp] Best practice infrastructure ACLs and Rate-Limiting

[Peter Basquiat]

Hello,

iam pondering a few month now about best practices of placing and designing
infrastructure ACLs and policing untrusted traffic to an acceptable rate.
When speaking about infrastructure iam thinking about iBGP and eBGP, OSPF,
SNMP, ICMP and SSH. Protecting iBGP is simple when its source-interface is
placed
on a continous loopback network. Simply place ACLs on edge where only
trusted source
or better no source is allowed to drop a BGP packet to the loopback IPs.
OSPF is in my opinion similar protectable - only allow trusted source or
better nothing
to the link networks in the core. But whats with these application which are
enabled on
more than just on the loopbacks? Is there any good practice to protect these
ones?

In example of iBGP which is often enabled on customer facing interfaces with
a widespread
of different and non continous network addresses.
Whats with SSH only enable it on loopback?
ICMP another pain - rate-limiting all customer facing networks and all core
networks directly
on edge - would be nice but possible? Or need to policing it on every
interface on every router
with rate-limit, MQC or CoPP if supported?

Whats your guys approach and what do you recommend?
Would be nice to discuss this a little bit and hear good strategie to make
the whole internet
more safe :-)

PS: I know there are many documents on this, but hearing about actual
approachs on a dynamic
mailling list is much more instructive.