[c-nsp] do I need acl on wan bgp port ?

Ang Kah Yik mailinglist at bangky.net
Fri Sep 12 07:39:27 EDT 2008


Hi Julien,

This topic may actually be more suited to other mailing lists such as
NANOG rather than a Cisco specific list.
Anyway, I believe it is more common that ISPs deploy the use of uRPF
(unicast reverse path forwarding) rather than ACLs.

At the very least, the use of loose mode RPF ensures that the prefix
from which a packet is sourced exists within the routing table. Thus,
packets sourced from RFC1918 addresses ought to be blocked since they
should not be appearing in the routing tables of most BGP routers.
This also applies to packets that you are null routing (such as the
bogon prefixes that you have mentioned).

In terms of performance, there are specific performance gains if RPF
is used rather than a long ACL to block prefixes.

The more experienced members on this list may wish to share their
opinion and correct me if I'm wrong. Cheers.

On Fri, Sep 12, 2008 at 7:20 PM, julien leroiso
<julien.leroiso at gmail.com> wrote:
> Hi,
>
> I blocked BGP bogons announces[1] like many other admins (I hope).
>
> I want to know if it's common that ISP add an ACL to the wan port to block
> at least rfc1918 IP addresses.
> And in the contrary ACL to prevent outgoing spoofing.
>
>
> [1] http://www.cymru.com/Documents/secure-bgp-template.html
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Ang Kah Yik (bangky) - http://blog.bangky.net


More information about the cisco-nsp mailing list